skip to primary navigationskip to content

GDPR - what you need to know, distilled

GDPR (the General Data Protection Regulation) replaces the UK Data Protection act. 

  • It seeks to ensure that we only process/store data where we have a legitimate business reason for doing so.
  • It strengthens every individual's right to ‘be forgotten’.
  • It dramatically increases the limit of penalty for non-compliance or data breach, up to 20m Euros.

The Institute Admin team has undertaken to ensure that all Institute business processes are now compliant with GDPR, but there are some areas where you must be aware and take personal responsibility.


What do Gurdon Institute researchers need to know?

1) Group Leaders, recruiters, website managers: Where you invite people to submit personal information (e.g. CVs) speculatively as a precursor to the normal recruitment process, you must provide information about how their data will be processed, and how, and for how long, their data will be stored. The following form of words would be suitable:

We welcome applications at any time from any suitably-qualified researchers – please email your CV and a covering letter to Please note that this information may be shared with colleagues in the Institute, and may be stored for a maximum of 2yrs for future reference if there are no suitable vacancies at this time, unless you specify otherwise. Please see the University’s privacy and data protection policies for further information.

2) Group Leaders, recruiters: When seeking references as part of a recruitment exercise, you must always use the standard University process.

3) Everyone: Once every 6 months, search your computer using the following keywords: CVCurriculumVitaeResume. Review the results and delete any CV documents that are older than 1yr and which hold no legitimate business interest.

4) EveryoneWhere datasets that contain personal information are stored in services or infrastructure that is outside of the University (e.g. externally-hosted websites, cloud storage etc), you must ensure that those services and contracts are GDPR-compliant:

  • The storage must be physically located within the GDPR jurisdiction area, or;
  • Storage must meet GDPR standards for privacy and data protection.

Compliant (as of 1st May 2018): Dropbox, @cam OneNote, OneDrive, Google Cloud   
Non-compliant: Evernote, Squarespace,*, etc.

*Note that the Institute Computing Office can provide Wordpress and 'normal' web hosting if you'd like to bring your website into the University without adopting the standard University templates.

5) Group Leaders, website managers: The Institute stores personal information about alumni for demographic reasons and to provide career development information for grant and Athena SWAN applications etc. The same strong business justification does not exist for publishing personal information about ex lab members in research groups’ own websites, and these lists should be removed.

6) Everyone: If you become aware of a breach or data loss where personal information may have been compromised, please contact the Computing Office immediately, even if the breach/loss seems insignificant.