No flash message
Some of the content and features delivered by this site requires JavaScript to be enabled in your browser
Thursday 22 February
My.Anglia > Staff > Sec clerk > Data Protection

Data Protection


What is GDPR?

6 Key Principles of GDPR

How is it different to the Data Protection Act?

When does it come in to force?

Who is leading on this for ARU?

What is the team doing?

What do I need to do?

Further Information and Support

The security of data is really important to us and with the introduction of the General Data Protection Regulation (GDPR) we want to make sure you know what these changes will mean to the way we collect, store and use data.
It’s our duty to maintain the privacy of our employees, students, customers and partners. And we are all responsible for achieving and sustaining compliance with this new legislation.

What is GDPR?


The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998.
The legislation aims to promote a more compliance-based approach to data protection, with an emphasis on transparency, accountability and data protection by default and design.

“As a result of these changes, future projects and our systems currently processing personal data will be subject to data privacy impact assessments.”


6 Key Principles of GDPR


The focus is shifting away from enforcement against security breaches and data loss towards an overall compliance culture, requiring a more comprehensive framework of policies and procedures.

How is it different to the Data Protection Act?


It removes any ambiguity about who is responsible for privacy, making it clear that the organisation that holds your data is responsible. The regulator, the Information Commissioner’s Office (ICO), also has increased powers to fine organisations. Currently the maximum fine limit is £500k but this will increase to £20m euros, or 4% of global turnover if the breach is particularly serious.

“GDPR requires a 180-degree turn in how organisations regard and treat personal data.  We must get used to thinking about the lawful basis used to collect, store or use that data, even if we have already have collected it!”


Some key points from the GDPR are:

  • There is a wider definition of personal data, including technical data such as location data and online identifiers (e.g. IP addresses). New categories of sensitive personal data are added: genetic data and biometric data
  • There is a strong emphasis on accountability and transparency
  • Organisations need to maintain records of their data processing
  • There will be increased rights for data subjects
  • It specifies more detailed security requirements
  • There are increased controls on the use of third parties for processing of personal data
  • A Data Protection Officer must be appointed.


When does it come into force?


GDPR has been live since April 2016, but compliance is mandatory on 25 May 2018.


Who is leading on this for ARU?


The Secretary and Clerk has overall responsibility for GDPR implementation; a small operational GDPR Action Party (GAP) reports to him as Chair of the Data Governance Steering Committee (DGSC). The University’s Information Management and Advisory Group (IMAG) is working with around 30 Data Protection Champions from Faculties and Professional Services, including Faculty Business Managers.  Together we’re taking forward the implementation work across ARU.

Your Dean or Director is responsible for assuring policy and practice is implemented effectively, so it can be demonstrated to regulatory bodies if needed.


What is the team doing?


We all need to make changes to everyday processes, and the in-house team has been put in place to provide advice, guidance, tools and templates to make sure your processes comply with the new legislation.

  • A Data Protection Officer has been appointed and they can be contacted via email
  • We are reviewing all our internal Data Protection Policies to make sure they are transparent, readily accessible and have gone through appropriate governance at the highest level
  • We are drafting procedures for mitigating poor compliance and remedying data breaches
  • We have approved a mandatory training programme.


“Revised policy, standard operating procedures and guidance, covering all of these areas and more, will be released on these pages over the course of the next few months, leading up to the full implementation of the GDPR from May 2018.”


What do I need to do?


The business of storing and using data to communicate with individuals is just another part of getting the job done. However, under the GDPR, every item of personal data and every communication will require careful thought.  You will need to respond to their requests to access, erase or update personal data. And in the unlikely event of a breach, you’ll need to get in touch to let them know.

You need to understand the new legislation so you and your line manager identify the changes you need to make in the way you collect, store and use data.
To help prepare you a mandatory eLearning module ‘Data Protection Essentials: General Data Protection Regulation edition has been developed and all staff are automatically enrolled. You can access it here:

“Protect people’s privacy and data like it’s your own.”

ARU’s Dos and Don'ts for Data Protection & GDPR Compliance document contains basic guidance on how to handle personal data under the General Data Protection Regulation (GDPR). This document can be found here.

Further information and support


Your Faculty or Professional Services Data Champion is available for day to day enquiries in relation to records management and data protection including GDPR.
For more complex enquiries and advice please contact the Secretary & Clerks Office:

Information Compliance Officer


FOI enquiries
SAR & data protection administration

Shane Murphy
University Records Manager


Expert GDPR and data protection advice

Dawn Taylor
Head of Compliance & Risk


Strategic and operational oversight of records management activities

Further guidance on the GDPR can be found on the ICO website.

A copy of the regulation can be found on the EU website.