Seven questions and answers on the new General Data Protection Regulation
We all want our personal data to be handled responsibly - both information about our date of birth and address, as well as sensitive information about religion and health. The new General Data Protection Regulation, which comes into effect on 25 May 2018, will help to ensure the responsible handling of personal data.
Tanja Møllegaard Løvgren, jurist and senior consultant in the Faculty Administration, answers seven questions about what the new regulation means.
Why is it important to get involved?
– The aim of the General Data Protection Regulation is to protect the individual's personal information. An individual should have control over their own personal information and trust that the information held by public institutions and private companies is processed securely and used only for the purpose for which it was gathered. As far as the Faculty of Science is concerned, both students and employees need to be sure that their information is being handled properly.
What is personal data?
– Personal data falls into two categories: General personal data includes name, address and date of birth, while sensitive personal data includes information on ethnic background, religious belief and health-related information.
Which professional groups at SDU does it affect?
–Pretty much everyone. The Regulation affects not only the way administrative staff handle personal data about students and other members of staff, but also academic staff who have contact with students, for instance by e-mail. New guidelines for processing data used in research are also on the way.
– The new Regulation affects everybody who comes into contact with data. A public institution storing data, such as SDU, is responsible for that data. The person responsible for the data must meet their obligation to look after the personal information with which they have been entrusted. This means that, first and foremost, SDU needs to have control over what personal information it is storing and how the information is being used. Then the person responsible for the data should ensure that the personal information is being stored securely and for no longer than necessary, as well as using the information only for the purpose for which it was gathered.
– By May 2018, all members of staff at SDU should be familiar with a number of new procedures which will ensure the correct, secure and effective handling of data.
What should the Faculty's staff be particularly aware of?
– The most important aspect of the new General Data Protection Regulation is that we should have a better overview of where we are storing personal data and how we are using it. There are a number of instances where data on former employees has been stored for too many years and ended up in systems of which we don't have an overview.
What are we doing at SDU?
– We are well underway with making sure that, as an institution of education and research, we meet the requirements of the General Data Protection Regulation. SDU has appointed a steering committee, and IT Services is leading the process. Responsibility for implementing the General Data Protection Regulation lies with the individual Faculties.
– IT Services has divided the process into three phases:
- Description of the systems and processes with which we currently handle personal data
- Identification of where we do not meet the requirements for handling personal data
- Implementation of processes and systems that ensure we meet the requirements
Concretely, what is happening at the Faculty of Science?
– At SDU, we handle personal data in three areas: administration, education and research. At present, we are working on the description of systems and processes in all three areas. That work is underway right now at the Faculty Administration and in each department. We will be finished by the end of November, and then work will start on identifying the areas where we do not meet the requirements.