Coronavirus (Covid-19): Latest updates and information
Skip to main content Skip to navigation

GDPR: FAQs and Contacts

The content on this page will be updated weekly. If you have any questions, please contact us at gdpr at warwick dot ac dot uk.

What is GDPR? GDPR stands for General Data Protection Regulation and is the new legislation. It regulates the protection of personal data, imposes greater sanctions, promotes accountability and enhances individual rights.
When will the GDPR come into effect? The Regulation will come into effect on the 25th May 2018 and will bring in significant changes to current data protection laws as we know them. Any organisation deemed non-compliant will face hefty fines and sanctions for breaches and non-compliance.
What kind of information does the GDPR apply to? GDPR applies to any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
What does GDPR mean by processing? Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What effect, if any, does Brexit have on GDPR? None.
The UK government has adopted the GDPR in its entirety in the draft UK Data Protection Bill and as such the GDPR will apply to the UK regardless of whether we remain in the Union.
Who does GDPR apply to? Any organisation which processes the personal data for individuals within the EEA or any organisation that processes personal data in the EEA.
Which are the EEA countries
Austria Belgium Bulgaria Czech Republic
Cyprus Denmark Estonia Finland
France Germany Greece Hungary
Iceland Ireland Italy Latvia
Liechtenstein Lithuania Luxembourg Malta
Netherlands Norway Poland Portugal
Romania Slovakia Slovenia Spain
Sweden UK    
The European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection:

Andorra Argentina Canada* Faroe Islands
Guernsey Israel Isle of Man Jersey
New Zealand Switzerland Uruguay  
* (Commercial organisations only)
Who do I contact if I have a query? In the first instance use gdpr at warwick dot ac dot uk

Do we need to ask again for consent to use personal data that we already hold?
  • Yes if the consent was obtained in a manner that is no longer consistent with the requirements of the new legislation, departments will need to go back to data subjects and request consent again. If you are unsure if this applies to you email gdpr at warwick dot ac dot uk.
  • Yes if the consent was obtained in a manner that is consistent but you are now wanting to use the data for another purpose to that stated at the point of collection.
What are the implications (if any) of GDPR for obtaining consent from vulnerable individuals (i.e. research involving children, those who lack capacity and in emergency situations)?
  • With Children – the parents will need to be involved and give consent.
  • Capacity issues – this will be dependent on who the individual’s representative is – it will usually be the person who holds the power of attorney or equivalent.
  • Consent forms should use clear and concise language so individuals can understand what will happen to their personal data, and what rights they have.
Do we need a process that enables individuals to withdraw consent?
  • Yes. You will need a process/means for enabling an individual to withdraw their consent for you to use their data and to ensure the processing for that individual’s data stops.
  • Yes. It must be as easy (or easier) to withdraw consent as it is to give it.

Device Encryption
Do I need to do anything now with my ITS/University device? If you are using Windows 10 and BitLocker encryption is enabled, you will be ok. The intention is to implement device encryption on all University managed or owned devices that are not currently operating using Windows 10 – but this will be achieved in a phased programme, tackling the highest risk areas first. Most users do not need to do anything at this time. For users with ITS-managed devices running on Windows 7, BitLocker encryption will be enabled as part of the migration to Windows 10 and you do not need to do anything yet, unless you are in a high risk group i.e. you travel frequently and therefore have a higher risk of theft or loss, or you use a shared device (especially unmonitored/public access).
If you think you are in a high risk group then contact the ITS helpdesk and you will be prioritised.
You are high-risk if you answer yes to the following questions. If so, contact ITS to discuss how to set up encryption immediately.
  • Is your device at risk of being lost or stolen (Mobile working, frequent travel)?
  • You use a shared device (especially unmonitored or with public access)?
Staff with University owned, but self-managed devices should enable encryption as soon as possible – contact ITS helpdesk if you need help with this.
Do I need to do anything with my personal device that I use for Warwick? If you use a personal device then you will already be familiar with the existing minimum mandatory working practices. You should manage the risks associated with the use of a personal or shared computer or device for University information and you are responsible for the protection and secure disposal of Restricted or Reserved Information.
In addition to meeting the minimum requirements for computer safety and internet browsing you should: Remember not to share passwords and do action security updates sent to you by your software security provider.
Do I need to do anything with my Smartphone? Not if you use a password. Most smart mobile phones have encryption enabled by default as long as the device has been set-up to require a password on log-in/power-on.

How do I know the difference between the different types of data – public, protected, restricted and reserved? Each type of data have a different security level of security risk. Rule of thumb is, the more personal and more identifiable the individual is from the data – the more care you need to take. Look at Warwick’s guidance on Information Classifications.
What is ‘sensitive’ personal data’? Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms of a data subject. The GDPR refers to sensitive personal data as "special categories of personal data which uniquely identify a person" such as, racial or ethnic origin, physical, physiological, mental, socio economic, cultural, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
How do I know what to keep? Understand what information you have and why you have it. Delete or destroy information you no longer need, including paper based documents. If there is a requirement to retain the information, ensure you follow the Records Management Policy and associated Records Retention Schedule.

Can I use my personal email account (e.g. Gmail)? Any emails relating to your work at Warwick should be done via the University email system.
Can I email data? If you are emailing personal data then make sure you are familiar with and follow the University guidelines for handling electronic information.
Can we still use POP3 and IMAP Office 365 currently supports the use of POP and IMAP to allow a broad choice of email client (an app or program used to send and receive messages, as distinct from browser-based webmail).
However, university business should always be conducted from your University-provided email account, which by default will deliver to an Office 365 mailbox. The use of a personal email account from a third-party provider for University business is inadvisable, and if the content of such messages contains data classified as “personal” for the purposes of GDPR then a personal email account should not be used.

Is there any training I can access? There is already a course on the intranet entitled Information Security Essentials which we advise all staff to complete.
There is also now GDPR specific training available. To access this e-learning course click here.
Both the new GDPR training module and the and Information Security Essentials training module need to be completed.

Much of the above is incorporated within the Information Security Framework and also the Information Security Webpages which contain further information on information security practices.