Skip to main content

GDPR and Data Protection FAQs

GDPR and Data Protection Act FAQs

In the UK, an individual’s personal data is protected by law under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The GDPR framework offers greater protection for the personal data of individuals and tougher punishments for non-compliance than previous data protection regulation.

The University is currently working to ensure all Schools and departments understand their responsibilities under GDPR. Please remember that GDPR builds upon the existing data protection measures that staff and information processes and systems should already be compliant with.

For more information please see our GDPR FAQs and the privacy pages.

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. The change provides organisations with an opportunity to review how they handle personal data, encouraging transparency in processes.

The University has formed a task group chaired by Andrew Hartley, Director of Legal and Information Governance and the University of Salford Data Protection Officer. The task group will oversee the way in which GDPR requirements are implemented.  Work completed to date includes:

  • An initial information audit
  • privacy notices,
  • records retention,
  • managing data subjects rights,
  • providing advice,
  • training and awareness
  • incident reporting
  • communications – to both staff & students
  • Data Protection Impact Assessments

Your task group representative will be able to help you with any initial questions. Please speak to them in the first instance.

We are all responsible for the safe use of personal data. It is your responsibility to check that your work is in line with guidance issued by the ICO, the Legal and Information Governance team and local procedures. There is an e-learning toolkit available to staff. If, once you’ve completed this training, you think you need additional training, please email There is work underway within most areas of the University. Check with your GDPR Task Group representative to see what is going on in your area.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

We will still keep this regulation once the UK leaves the EU for two reasons:

  • this Regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and
  • when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other Member States are using to regulate data processing.

The main changes in the GDPR are:

  • that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, emails, cloud storage, etc
  • the definition of Personal Data has changed to include location data and online identifiers
  • the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
  • that data subject rights are extended and improved
  • the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
  • the introduction of compulsory data breach notification
  • increased fines for data, and notification, breaches
  • the requirement for transparency and accountability
  • increased responsibility of data processors for data processing.

Information about retention can be found here.

  • The Information Commissioner’s Office is the UK watchdog and regulatory body that governs data protection law. Their website has a lot of useful information and guidance.
  • Mandatory e-learning is available to all staff
  • The Information Governance Web Pages will be updated regularly with more information.
  • Speak to your GDPR Task Group representative

The good news is that most of the data processed by the university falls within our public task, or form part of our obligations under contract with the student. Consent needs to be managed carefully. The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of a form. 

Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.

Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.

The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

This depends. If consent has been used as the legal basis for processing, then an individual has the right to withdraw consent at any time, and the information must be deleted. However, for other legal bases of processing, the right to erasure is not an absolute right and a test needs to be applied to see if the information should be retained. In each case or request, a log should be kept of the request, the decision, and any documents to support the justification for the decision.

We should certainly think about how much data we record and whether we need all of it to complete our activities, but if it is necessary and we have adhered to all the GDPR recommendations you should not stop recording it or remove it from documents or systems

You should speak to your Task Group representative in the first instance or email if they cannot answer your question.

There are many things you can do to look after data effectively, listed below are some best practice approaches which we will update regularly.


Always carry in hand luggage when travelling & use a privacy screen when in a public place

Computers at Work:

Lock your screen whenever you are away from your desk


These should be a mixture of upper & lower case, numbers and symbols. If you use a PIN make it longer than the standard 4 digits. And never use a password that you use elsewhere

File Transfers

When sending to third parties you should encrypt the file and use secure data transfer systems

If you have to send data to another person within your organisation you don’t have to encrypt but you should password protect and then send the password in a separate email

Mobile Phones

These should be carried with you at all times and PIN/Facial recognition protected


Operate a clear desk policy – not only will it make you more organised it will ensure that all paper files are secured at all times


We should digitalise files wherever possible; making it easier to store and search, but if you have to keep a hard-copy this should be under lock and key.

GDPRGeneral Data Protection Regulation
DPIAData Protection Impact Assessment
SARSubject Access Request