Compliance with the GDPR is a legal requirement. Breaches of data protection law may result in investigations, significant fines, adverse publicity, and civil or criminal liability.
Enforcement action may be taken by the Information Commissioner’s Office (the 'ICO'), which has the power to issue fines or require changes in an organisation’s policies and procedures. If the University fails to comply with its legal obligations, such an action could be taken against the University and published on the ICO’s website, resulting in reputational damage.
Individuals have extensive rights under the GDPR, which they may exercise by submitting requests to organisations using their data (see GDPR exemptions for further information). If they are dissatisfied with the University’s response, they may complain to the ICO. Individuals may also bring legal claims for damage or distress.
More generally, the University is committed to responsible processing of information relating to individuals and to respecting their rights to data privacy. Although the consideration of data protection law may seem like an additional burden, much of it is plain common sense and, indeed, oftentimes consistent with the ethical requirements of many research projects.