Salford Staff Channel : News


A message from Andrew Hartley, Director of Legal and Governance

Dec 05, 2017

GDPR changes coming in May 2018
GDPR changes are coming in May 2018

Use of personal data underpins the work of the University in many areas. The new General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA) in late May 2018 and will impact on the way the University uses and manages data.

What will change?

The new GDPR does not create significantly new legal requirements as to the protection of personal data, however it does increase the obligations placed on an organisation as to how personal data is used and managed.

The principal change that the GDPR introduces and which is different to the old DPA is around the way in which an organisation will need to demonstrate that it complies with the new data protection requirements.

An organisation must be able to prove that its data is:

1. Processed fairly, lawfully and in a transparent manner;

2. Collected for specified, explicit and legitimate purposes;

3. Adequate, relevant and limited to what is necessary;

4. Accurate and, where necessary, kept up to date;

5. Kept in a form that permits identification of data subjects for no longer than is necessary; and

6. Processed in a way that ensures appropriate security of the personal data.

What next?

The University has formed a task group to oversee the way in which it implements the new GDPR requirements. As an important initial step we will conduct an information audit. Working with the data management project team from Digital IT the task group will review all areas of the University where personal data is processed and ask why we are processing it, where data is kept, for how long and what we use the data for. We will go through a similar exercise when we put in place new systems, simultaneously thinking about the risks and security measures that are required to safeguard personal data.

GDPR – The Twelve Steps

At the same time as carrying out the audit we will conduct a training and awareness exercise within the organisation to ensure that decision-makers and key personnel are aware of the changing requirements being introduced by GDPR and the impact that these will have. The ICO has produced a very helpful summary of the actions that an organisation needs to consider when determining its approach to implementation of the GDPR.

Here is the link to this summary, The Twelve Steps

Each department across the University has a representative on the task group, full details in the table below. Further information will be cascaded at each stage of the process over the forthcoming months.


Task Group Representative


Legal and Information Governance

Andrew Hartley (Chair)

Sam Licence

Digital IT

John Whitlow (until Jan 2018)
Mark Wantling (from Jan 2018) 

Simon Shaw

Marketing and External Relations

David Brack

Emma Goldsmith

Student Administration

Carole Reid

Helen Hermaya

Student Experience & Engagement

Julie Waddicor (until Dec 2017)


School Operations

Elaine Greenhalgh



Rob Bulman

Sara Das


Ian Dempsey

Pauline Hunter


Ed Moloney



Jo Cresswell

Adrian Duckworth


Matt Holden

Jo Makin


Paul Bolton

Elka Lamb


Paul Welshman