General Data Protection Regulation (GDPR)

Our commitment to GDPR

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

This new legislation expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

At the University of Plymouth, we take data privacy seriously. We are committed to complying with data protection law and handling personal data correctly and appropriately.

We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.

What do I need to know?

If you are a member of staff, you can access the internal GDPR site for help and support how GDPR impacts you and what you need to know (note: you will need to be logged in with your University account to access this). You also need to ensure that you have completed the GDPR e-learning. Details to access this can also be found on the internal GDPR site.

There is also a range of new and updated policies which relate to data protection. Details of these can be found further down this page.

For information from the UK’s regulator of GDPR, please visit the website of the Information Commissioner’s Office.

Policies

As part of our GDPR programme, we have reviewed and updated our policies relating to handling data, creating new policies where needed, such as:

  • Data Protection Policy
  • Data Breach Policy
  • Subject Access Request Procedure
  • Data Retention and Erasure Policy
  • GDPR Complaints Policy
  • Data Protection Impact Assessment Policy
  • Photography and Video Policy.

These can be found on the Policies page.

Your information rights

Under GDPR there are an increased number of rights an individual has in relation to the gathering, processing and storage of personal data. These are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated processing and profiling

Please note the rights are not absolute and may not apply in all circumstances.

Details of how you can access your rights can be found on the Your Information Rights page.

Personal Data Breaches

The University has a dedicated data breach process for dealing with instances where there has been (or where there is suspicion that there might have been) a data breach.

All members of staff within the University have a duty to report any such instances without delay. Also, if any students or members of the public become aware of a data breach at the University then we would strongly encourage you to report it to us so we can investigate and take action.

Details of how we handle personal data breaches, including how to report a breach, can be found on the Personal Data Breach Process page.

Privacy Notices

Under GDPR all organisations which process personal data must inform individuals about that processing in a concise, transparent and intelligible manner. This needs to be written in clear and plain language and easily accessible.

The University has numerous central privacy notices to inform data subjects about how we processes their personal data. Links to these can be found on the Privacy Notices page.