General Data Protection Regulation (GDPR)

Our commitment to GDPR

The General Data Protection Regulations (GDPR) came into force on 25 May 2018. This new legislation expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

At the University of Plymouth, we take data privacy seriously. We are committed to complying with data protection law and handling personal data correctly and appropriately. We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.

New Data Protection Legislation is now here 

The new General Data Protection Regulation (GDPR), designed to protect individual personal data, became law on 25 May 2018. Therefore, we all need to take stock of how we deal with any personal data as there is a much greater requirement on us as an organisation, and as individuals, to look after other people’s personal data. The recent substantial fine (£120k) levied by the Information Commissioners’ Office to the University of Greenwich, for the serious breach in releasing student information, is a lesson for all Higher Education Providers. 

GDPR is European legislation. It has been adopted by the UK, despite the vote to leave the EU, to allow the UK to take advantage of the Digital Single Market. The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development. 

The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500k to around £17 million. One of the most significant changes relates to the requirement for consent to be given by individuals for their personal data to be used. For example, for direct marketing you must be asked if you wish to receive marketing materials by ‘opting in’, rather than having to ‘opt out’, and there’s also a requirement that personal data is not held for any longer than is necessary. 

The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data. 

Further support

Please do stop and think about how you manage personal data. For more information on GDPR, please read our GDPR overview and guidance document or visit the website of the Information Commissioner’s Office. Also, HR are currently running GDPR Overview sessions for staff which can be booked through Employee Self Service GDPR Awareness course. If there are no current slots available for one of these sessions, please add your name to the waiting list. A mandatory e-learn for all staff will be launched during August/September to promote understanding of GDPR and information security.

An internal GDPR site is being created to help and support staff and students on how GDPR impacts them. This site will be available shortly.

The University is in the process of creating an Information Asset Register (IAR) where all assets containing personal information across the University will be stored and updated as necessary. The GDPR team are currently working with each area of the University to work with the designated IAR Lead to identify assets which contain personal information and build a map of this across the institution. An Information Asset Register site has been created where you can find out more information on implementation of the register, guidance, FAQ’s and raise any questions you may have (you will need to be logged in with your University account to access these sites).