General Questions:

What constitutes person data?

Any information related to you, which can be used to directly or indirectly identify you. It can be anything from a name, a photo, an email address, bank details, posts on social networking sites, medical information, or a computer IP address.

Why the change?

The Data Protection Act of 1998 was drafted before much of the technology which transformed the way process information existed. GDPR is an update of the laws to meet the needs of today.

Will non-compliance result in fines?

Yes, the ICO aims to dissuade data protection failures by imposing large fines of up to 20,000,000 euros, or 4% of global annual turnover.

What about Brexit?

Despite GDPR being an EU law, the Data Protection Bill covers much of the same ground. In addition to this it is necessary for the UK to be considered to be adequately complying when Brexit occurs or else there will be restrictions on data transfers between the UK and the EU, which nobody wants to happen.

So if GDPR covers all of this what is the Data Protection Bill?

The GDPR is a directive aimed at all countries within the EU, there are various points within it however in which individual Member States may derogate from the regulations for reasons of their own circumstances. For this reason the Data Protection Bill and the GDPR will need to be read alongside each other, though the bill is still going through the House of Lords currently.

What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment is a type of risk assessment aimed at ascertaining whether a proposed processing of personal data is likely to have an adverse effect on either the data subject or anybody else. It is completed so steps can be taken to minimise the risk of this occurring.

What is Protection by Design and Default?

Protection by Design and Default means implementing methods of data protection from the very start of a project, and developing an understanding of how data is to be secure throughout the lifespan of the project.

Staff Questions

What is the College doing about this?

We have appointed a Data Protection Officer, Elaina Moss, who is responsible for ensuring the College’s compliance with GDPR. The responsibilities of this role include managing internal data protection activities; raising awareness of data protection issues, training staff, advising on data protection impact assessments and being a first point of contact for everyone about whom the College holds data.

We have also established a network of Data Stewards who have are accountable for how the data in their area is used and they are supported by Data Custodians who work with the data on a daily basis. These people support the Data Protection Officer in her work to ensure the College’s compliance with the law and we would ask that you co-operate with any request you might receive from them.

What do I need to do now?

Firstly you should complete the training available on Moodle. This will give you a good basis in understanding the GDPR and how we should process the data we hold.

Do I need to change the way I use data?

If you need to look at Individual’s (student, staff or other) data, where possible look at this on the relevant system (e.g. Banner) or using the relevant reporting tool (Infoview, Dashboards) rather than exporting/printing the information.

Only export/download personal data where you genuinely need to process/use it.

Ensure that any exported or collected documents containing personal data are saved in an appropriate location, e.g. Departmental shared drives, where access is limited to individuals who have a genuine need to access the data.

Do not save personal data to your PC (C: Drive or Desktop) and limit use of your Personal (Y) Drive unless there is nowhere else that data could be stored.

Limit the printing of documents with personal data unless absolutely necessary.

Where possible, you should avoid sending e-mails which contain personal data either in body of the email or as an attachment. If you can, direct the recipient to where they can find it in a shared drive to which you both have access. Emails are the College’s greatest source of data breaches as it is so easy to click the wrong name in the address book or to rely on autocomplete which you may not notice has given you the wrong name.

Personal data should never be emailed to a non-Royal Holloway email address.

We know that so much of our work relies on our ability to share information and we are working on ways to enable you to securely share personal data.

Do not save personal data onto a memory stick, external hard drive or laptop unless these devices are encrypted. Ensure you have consulted the Mobile Working Policy.

What do I do if I think I or someone in my team or department has committed a data breach?

You should take action as soon as you become aware of this. Contact us at and read the Personal Data Breach Reporting Procedure [link TBC] before filling out this form.           

If somebody requests to have their data deleted do I have to comply?

If you receive a request like this, please refer them to the Data Protection Officer who will handle the request.

If the Police ask me for the personal data of a Student do I have to give it to them?

If you receive a request directly from the Police, please refer them to the Data Protection Officer who will liaise with the Police directly. Do not give information to an officer just because they ask for it.