911±¬ÁÏÍø

UCL has about the new GDPR.Ìý In addition to this, research teams should be aware of the following:

•Ìý Ìý Ìý Ìý ÌýGenetic data such as DNA or RNA, which can identify the individual, is now unambiguously subject to data protection principles.

•Ìý Ìý Ìý Ìý ÌýData breaches must be reported within 72 hours.Ìý

•Ìý Ìý Ìý Ìý ÌýParticular types of research where the data subjects are vulnerable may require a data privacy impact assessment -Ìý a formal process to "evaluate, in particular, the origin, nature, particularity and severity" of the "risk to the rights and freedoms of natural persons" before processing personally identifiable information.

•Ìý Ìý Ìý Ìý ÌýThere will be a requirement to insert relevant GDPR compliant clauses in all active contracts.ÌýÌý

•Ìý Ìý Ìý Ìý ÌýThe new accountability principle means that, as data controllers, UCL and UCLH will be required to document compliance with the regulation - this will require the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, if it is shared and how long it is retained.

The Joint Research Office is currently awaiting guidance from the MRC and HRA, however preliminary reading suggests that, as data controllers, UCL and UCLH, will have many more legal obligations which will require new policies and processes.Ìý

Some aspects of data protection are still evolving and there is a new Data Protection Bill currently working its way through Parliament that will complement the GDPR. The Bill will provide further clarity over matters such as the use of exemptions for research purposes and the extent of individuals' rights over personal data used in research.Ìý