The new General Data Protection Regulation (GDPR) comes into effect in May 2018. It will replace the current Directive and apply to all EU member states without the need for national legislation. The implementation will require comprehensive changes to the way in which organisations, like UCL, collect, use and transfer personal data.

Please see the UCL Data Protection Office’s guidance on the impact of the GDPR on how researchers will seek consent, on privacy notices, data breaches and more.

Following the agreement between the European Commission and United States in 2016, the ‘EU-US Privacy Shield’ is now in force and is therefore the main means of allowing personal data to be transferred to the US.

The EU-US Privacy Shield replaces the invalidated Safe Harbour agreement whilst providing additional obligations to protect personal data, as well as establishing annual monitoring and reporting.

Any new agreement to transfer personal data (including transient transfer) can only be done if the US recipient (this includes universities) has signed up to the Privacy Shield Framework.

Researchers planning on transferring data to the US to a recipient that has not signed up to the Privacy Shield Framework, or who are already working under an existing Safe Harbour agreement, should contact the UCL Data Protection Office (data-protection@ucl.ac.uk).

Further information about the EU-US Privacy Shield can be found on the UCL Data Protection webpages.