Data protection legislation

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. This legislation, together with the existing Privacy and Electronic Communications Regulation (PECR) will mean significant changes to how we can contact individuals by e-mail, and by telephone.

Under the new regulations, all processing of personal data such as e-mail addresses and telephone numbers must be based on one of six legal conditions: communications other than for core University business must be based on the consent of the recipient.

Consent must be voluntary, explicit and unambiguous. It cannot be conditional on agreeing to receive a service. It must be a positive action: ie not inferred from non-response or failure to ‘opt-out’.

The kind of communications which will be subject to these more stringent conditions for consent include the following (this list is not exhaustive):

  • Sales of tickets
  • Marketing of goods or services
  • Charitable appeals

From May 2018 it will no longer be possible to send e-mails relating to non-core business to anyone without their prior consent. Work is currently on-going to create a system whereby e-mail consents can be captured and recorded.

Further information on GDPR and PECR is available from the Information Commissioner’s Office

Or from the University’s Data Protection Officer:
a.cutler@sheffield.ac.uk