Data protection

The security of data is really important to us and, with the introduction of the General Data Protection Regulation (GDPR), we want to make sure you know what these changes will mean to the way we collect, store and use data.

It’s our duty to maintain the privacy of our employees, students, customers and partners. And we are all responsible for achieving and sustaining compliance with this new legislation.

What is GDPR?

The General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998. The legislation aims to promote a more compliance-based approach to data protection, with an emphasis on transparency, accountability and data protection by default and design.

The focus has shifted away from enforcement against security breaches and data loss towards an overall compliance culture, requiring a more comprehensive framework of policies and procedures.

The six principles of GDPR:

  • 1. Lawfulness, fairness & transparency
  • 2. Purpose limitations
  • 3. Data minimisation
  • 4. Accuracy
  • 5. Storage limitations
  • 6. Integrity and confidentiality.

GDPR removes any ambiguity about who is responsible for privacy, making it clear that we are responsible for the data we hold. The regulator, the Information Commissioner’s Office (ICO), has increased powers to fine organisations up to €20m, or 4% of global turnover if the breach is particularly serious.

Some key points from the GDPR are:

  • there is a wider definition of personal data, including technical data such as location data and online identifiers (eg IP addresses)
  • new categories of sensitive personal data are added: genetic data and biometric data
  • there is a strong emphasis on accountability and transparency
  • organisations need to maintain records of their data processing
  • there will be increased rights for data subjects
  • it specifies more detailed security requirements
  • there are increased controls on the use of third parties for processing of personal data
  • a Data Protection Officer must be appointed.

What do I need to do?

We all need to make changes to everyday processes, and the in-house team has been put in place to provide advice, guidance, tools and templates to make sure your processes comply with the new legislation. These can be accessed from the left-hand menu.

Staff training

You need to understand the new legislation so you and your line manager identify the changes you need to make in the way you collect, store and use data.

To help prepare you a mandatory eLearning module ‘Data Protection Essentials: General Data Protection Regulation edition’ has been developed and all staff are automatically enrolled. You can access it at HR Online.

The focus is shifting away from enforcement against security breaches and data loss towards an overall compliance culture, requiring a more comprehensive framework of policies and procedures.

Further information and support

The Secretary and Clerk has overall responsibility for GDPR compliance; a small operational GDPR Action Party (GAP) reports to him as Chair of the Data Governance Steering Committee (DGSC). We are also working with around 30 Data Protection Champions from Faculties and Professional Services, including Faculty Business Managers. Together we’re taking forward GDPR implementation work across ARU. Your Dean or Director is responsible for assuring policy and practice is applied effectively.

Your Faculty or Professional Services Data Champion is available for day to day enquiries in relation to records management and data protection including GDPR.

For more complex enquiries and advice please contact the Secretary & Clerks Office:

Helen Guy – Information Compliance Officer:,
David Humphreys – Information Compliance Manager:
Dawn Taylor – Head of Compliance & Risk:
Alex Lock – Compliance Manager (Systems & Data):

Further guidance on the GDPR can be found on the ICO website.

A copy of the regulation can be found on the EU website.