General Data Protection Regulation (GDPR)

Our commitment to GDPR

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

This new legislation expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

At the University of Plymouth, we take data privacy seriously. We are committed to complying with data protection law and handling personal data correctly and appropriately.

We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.

What do I need to know?

Please do stop and think about how you manage personal data. For more information on GDPR, please read our GDPR overview and guidance document or visit the website of the Information Commissioner’s Office.

If you are a member of staff, you can access the internal GDPR site for help and support how GDPR impacts you and what you need to know (note: you will need to be logged in with your University account to access this). You also need to ensure that you have completed the GDPR e-learning. Details to access this can also be found on the internal GDPR site.

There is also a range of new and updated policies which relate to data protection. Details of these can be found further down this page.

New Data Protection Legislation is now here

The new General Data Protection Regulation (GDPR) and the Data Protection Act 2018, designed to protect individual personal data, became law on 25 May 2018. Therefore, we all need to take stock of how we deal with any personal data as there is a much greater requirement on us as an organisation, and as individuals, to look after other people’s personal data. 

The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development.

The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500,000 to around £17 million for public authorities or 4% turnover.

The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data.

Policies

As part of our GDPR programme, we have reviewed and updated our policies relating to handling data, creating new policies where needed, such as:

  • Data Protection Policy
  • Data Breach Policy
  • Subject Access Request Procedure
  • Data Retention and Erasure Policy
  • GDPR Complaints Policy
  • Data Protection Impact Assessment Policy
  • Photography and Video Policy.

These can be found on the Policies page.

Personal Data Breaches

The University has a dedicated data breach process for dealing with instances where there has been (or where there is suspicion that there might have been) a data breach.

All members of staff within the University have a duty to report any such instances without delay. Also, if any students or members of the public become aware of a data breach at the University then we would strongly encourage you to report it to us so we can investigate and take action.

Details of how we handle personal data breaches, including how to report a breach, can be found on the Personal Data Breach Process page.

Privacy Notices

Under GDPR all organisations which process personal data must inform individuals about that processing in a concise, transparent and intelligible manner. This needs to be written in clear and plain language and easily accessible.

The University has numerous central privacy notices to inform data subjects about how we processes their personal data. Links to these can be found on the Privacy Notices page.