Accessibility statement

General Data Protection Regulation

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European-wide law that sets out how personal data must be handled by organisations. It came into effect on 25 May 2018. In the UK, it replaced the Data Protection Act 1998. 

Why change?

The GDPR was introduced to:

  • better reflect the data protection challenges arising in the digital age;
  • address globalisation and harmonise data protection practice across Europe;
  • afford individuals greater control over their own personal data;
  • modernise existing data protection arrangements.

Key changes

Despite sharing many similarities with the 1998 Act, the GDPR introduced a number of changes to data protection practices. Key changes included: 

  • tougher financial penalties - fines of up to 4% of annual global turnover or €20 million (whichever is greater);
  • a more stringent data breach notification process;
  • a requirement for larger organisations (including the University) to appoint a Data Protection Officer;
  • a broader definition of personal data;
  • more restrictive rules around the use of child data;
  • a new approach to consent;
  • new and expanded data subject rights e.g. a right to erasure, data portability and objection;
  • mandatory data protection impact assessments for processing arrangements where privacy risks are high;
  • a reduced timeframe for handling subject access requests;
  • slightly revised processes for international data transfers; 
  • stronger rules around recordkeeping.  

Key definitions

Personal data

any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Personal data includes: name, date of birth, NI number, home address, email address, student ID number, dates of enrolment, attendance information, visa and immigration information, student or staff photo, disciplinary information, bank and financial details, exam and assessment results. 

Special categories of personal data 

i.e. personal data, revealing:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union-membership;
  • data concerning health; 
  • sex life and sexual orientation;
  • genetic data; 
  • biometric data.

Examples of special category data include open door and disability support records, sick notes and medical fit notes, equality data. 

Note: Data relating to criminal offences and convictions does not fall within the definition above despite being treated as 'sensitive personal data' under the Data Protection Act, 1998.Rules around the use of this type of personal data are even more restrictive and covered in Article 10 of the GDPR and sections 10, 11 and Schedule 1 of the DPA 2018. For further information contact, dataprotection@york.ac.uk.