Skip to main content

GDPR and Data Protection FAQs

GDPR and Data Protection Act FAQs

The current Data Protection Act is set to be replaced by the General Data Protection Regulation (GDPR) in May 2018. The GDPR framework offers greater protection for the personal data of individuals and tougher punishments for non-compliance.

The University is currently working to ensure all Schools and departments understand their responsibilities under GDPR. Please remember that GDPR builds upon the existing data protection measures that staff and information processes and systems should already be compliant with. There will be further advice and guidance issued around GDPR over the coming weeks and months.

For more information please see our GDPR FAQs and the privacy pages.

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. The change provides organisations with an opportunity to review how they handle personal data, encouraging transparency in processes.

GDPR becomes enforceable from 25 May. Work will continue well beyond this date to ensure that processes, records, privacy notices etc are all reviewed regularly and are kept up to date.

The University has formed a task group chaired by Andrew Hartley, Director of Legal and Information Governance and the University of Salford Data Protection Officer. The task group will oversee the way in which GDPR requirements are implemented. As an important initial step we have conducted an initial information audit. Other work streams include Last updated 18 May 2018

  • privacy notices,
  • records retention,
  • managing data subjects rights,
  • providing advice,
  • training and awareness
  • incident reporting
  • communications – to both staff & students

Your task group representative will be able to help you with any initial questions. Please speak to them in the first instance.

We are all responsible for the safe use of personal data. It is your responsibility to check that your work is in line with guidance issued by the ICO, the Legal and Information Governance team and local procedures. There will soon be a new e-learning toolkit available to staff. If, once you’ve completed this training, you think you need additional training, please email There is work underway within most areas of the University. Check with your GDPR Task Group representative to see what is going on in your area.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

We will still keep this regulation once the UK leaves the EU for two reasons:

  • this Regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and
  • when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other Member States are using to regulate data processing.

The main changes in the GDPR are:

  • that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, emails, cloud storage, etc
  • the definition of Personal Data has changed to include location data and online identifiers
  • the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
  • that data subject rights are extended and improved
  • the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
  • the introduction of compulsory data breach notification
  • increased fines for data, and notification, breaches
  • the requirement for transparency and accountability
  • increased responsibility of data processors for data processing.

Work is underway to agree a university wide records retention schedule, which will provide detail of how long documents should be kept for. They will be based on the Jisc recommendations.

  • The Information Commissioner’s Office is the UK watchdog and regulatory body that governs data protection law. Their website has a lot of useful information and guidance.
  • E-learning will soon be available to staff. This will be a mandatory unit, and will cover the basics of GDPR.
  • The Information Governance Web Pages will be updated regularly with more information.
  • Speak to your GDPR Task Group representative

The good news is that most of the data processed by the university falls within our public task, or form part of our obligations under contract with the student. Consent needs to be managed carefully. The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of a form. 

Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.

Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.

The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

This depends. If consent has been used as the legal basis for processing, then an individual has the right to withdraw consent at any time, and the information must be deleted. However, for other legal bases of processing, the right to erasure is not an absolute right and a test needs to be applied to see if the information should be retained. In each case or request, a log should be kept of the request, the decision, and any documents to support the justification for the decision.

We should certainly think about how much data we record and whether we need all of it to complete our activities, but if it is necessary and we have adhered to all the GDPR recommendations you should not stop recording it or remove it from documents or systems

You should speak to your Task Group representative in the first instance or email if they cannot answer your question.

There are many things you can do to look after data effectively, listed below are some best practice approaches which we will update regularly.


Always carry in hand luggage when travelling & use a privacy screen when in a public place

Computers at Work:

Lock your screen whenever you are away from your desk


These should be a mixture of upper & lower case, numbers and symbols. If you use a PIN make it longer than the standard 4 digits. And never use a password that you use elsewhere

File Transfers

When sending to third parties you should encrypt the file and use secure data transfer systems

If you have to send data to another person within your organisation you don’t have to encrypt but you should password protect and then send the password in a separate email

Mobile Phones

These should be carried with you at all times and PIN/Facial recognition protected


Operate a clear desk policy – not only will it make you more organised it will ensure that all paper files are secured at all times


We should digitalise files wherever possible; making it easier to store and search, but if you have to keep a hard-copy this should be under lock and key.

GDPRGeneral Data Protection Regulation
DPIAData Protection Impact Assessment
SARSubject Access Request