Monthly Archives: February 2018

Getting ready for GDPR May 2018

05 Monday Feb 2018

Posted by in Uncategorized

Leave a comment

Building on my earlier post, all researchers (actually all citizens of the EU) need to get themselves ready for the change in legislation around collecting, using and sharing our personal data. For us in the UK this will replace the Data Protection Act, which we have been beholden to since 1998, with the new regulations coming in across Europe on 25 May 2018.

In the UK this falls under the remit of the Information Commissioner’s Office who have conducted consultations as part of the European initiative and will be our national data protection authority. The Information Commissioners’ Office supply a Guide to the GDPR as well as a page with updates as the final stages of clarification of the detailed implementation of the GDPR become apparent. These pages are in particular written for organisations who act as ‘data controllers’ and ‘data processors’ (using similar definitions of each to our existing Data Protection Act). Researchers operating within Universities should expect that their University will guide them with GDPR-compliant policies and procedures (and hold them to these as accountability is one of the key obligations of data controllers) to allow them to organise data collection, storage and reporting for individual/group projects. What needs to be clarified is the extent to which such researchers are data controllers ie. responsible for determining the purposes of their study’s data collection and not only data processors ie. responsible to the data controllers for collecting, storing and reporting the data. Independent researchers, by necessity, will hold both roles in full. There are a particular set of responsibilities set out for each and the ICO have helped summarise these in two checklists. One key aspect of the GDPR is that data protection should be something which is designed into the way we work with data and not something which is retrospectively or reactively applied but, instead, should be achieved through privacy by design (referred to in article 25 of the GDPR).

We all need to keep our eyes on where we still stand in relation to the GDPR after the UK leaves the EU and becomes a third country (Follow this link to a recent report issued about report about how the EU are getting ready for this) as the regulations apply to both those working in institutions in the EU, even if collecting data from outside the EU as many researchers with international studies do, and those in countries collecting data from those in the EU from beyond the EU. Non EU (third) countries are currently being vetted for those approved to have adequate data protection protection. It is still possible for cross-border transfer of data with those not considered adequate under circumstances outlined in articles 46(1) and 49 of the GDPR.

One of the major changes of the GDPR is the increase in rights of data subjects  ie. those about whom data is collected and processed. This applies to the data trail any of us leave related to our personal data ie. that which can be used to identify us and to which we have a right to protect as part of our right to privacy.  The GDPR sets out the data protection right for individuals:

  1. to be informed (about its collection, storage and use)
  2. of access (to data held about us)
  3. to rectification (of inaccuracies)
  4. to erasure (once used for legal purposes)
  5. to restrict processing (whilst other rights are being investigated)
  6. to data portability (once collected and at our request)
  7. to object (to decisions made about our data)
  8. in relation to automated decision making and profiling (as used on some social media platforms and commercial search engines)

In summary, the GDPR is underpinned by 6 principles (to be found in Article 5(1))

  1. Lawfulness, fairness and transparency (which relate to clear communications, systematic processes and legal purposes)
  2. Purpose limitation (meaning that data is only collected for specified purposes)
  3. Data minimisation (such that only data needed for the specific purpose is collected)
  4. Accuracy (such that data subjects can object if this is not correct and so needs to be up-to-date)
  5. Storage limitation (such that data subjects know how long the data will be collected, which should only be as long as to be used for specified purposes)
  6. Integrity and confidentiality (which link to the fundamental right of us all to privacy)

There is still fine tuning taking place between now and May 2018. For example a consultation about consent and transparency was just completed in January 2018 and the Information Commissioner’s Office provided detailed guidance on Children and the GDPR for public consultation, which closes on 28 February 2018. This is a particular area of regulation change. For example consent will be needed for data which could identify children (including images and audio) from their parents/guardians and/or from themselves. Children will be considered able to give consent from the age of 16 across EU and maybe as low as age 13 in the UK. Keep an eye out on the ICO What’s new page…!

To keep informed and get ready I recommend a) keeping an eye out and following ICO guidance and b) joining the University of Groningen’s excellent course on FutureLearn ‘Understanding the GDPR’ – open for registration NOW.