Key GDPR Changes

The GDPR introduces a number of changes to data protection practices and will require the University to review and revise its approach to data handling. Key changes include: 

  1. Privacy notices: more detailed privacy notices are required, which explain the purpose and legal basis behind processing activities
  2. Accountability: stronger requirements to demonstrate compliance; record-keeping regarding all data processing activities;
  3. Privacy by Design and Default should be the norm;
  4. Data Protection Impact Assessments (DPIAs): mandatory for all new processing activities where privacy risks are high
  5. Sensitive personal data: now includes genetic and biometric data
  6. A broader definition of personal data: now includes ID numbers, IP addresses and reversibly anonymised (‘pseudonymised’) data
  7. Consent: must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time
  8. Right to be forgotten: data subjects can request that their data is deleted in some circumstances
  9. Right to data portability: data subjects can request their data in a portable format, in order to move it to another data controller
  10. Subject Access Requests: individuals still have a right to request access to their personal data held by an organisation; this can no longer be charged for; the response time limit is reduced from 40 days to one month
  11. More restrictive rules around the use of child data: restricts the age at which individuals can lawfully give consent, introduces rules for the language used in consent requests targeted at children and regulates the way online services obtain children’s consent.
  12. International transfers: new rules for transfers outside the European Economic Area (EEA)
  13. Breach notification: must notify the Data Protection Commissioner within 72 hours of becoming aware of a data protection breach
  14. Fines: tougher financial penalties (fines of up to 4% of annual global turnover or €20 million (whichever is greater));

Office of Corporate and Legal Affairs

1 st Floor, East Wing, Main Quadrangle,