General Data Protection Regulation (GDPR)

Our commitment to GDPR

The General Data Protection Regulations (GDPR) came into force on 25 May 2018. 

This new legislation expands the rights of individuals to control how their personal information is collected and processed, and places a range of new obligations on organisations to be more accountable for data protection.

At the University of Plymouth, we take data privacy seriously. We are committed to complying with data protection law and handling personal data correctly and appropriately. 

We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.

An internal GDPR site has been created to help and support staff on how GDPR impacts them (note: you will need to be logged in with your University account to access this).

New Data Protection Legislation is now here 

The new General Data Protection Regulation (GDPR), designed to protect individual personal data, became law on 25 May 2018. Therefore, we all need to take stock of how we deal with any personal data as there is a much greater requirement on us as an organisation, and as individuals, to look after other people’s personal data. 

The recent substantial fine (£120,000) levied by the Information Commissioners’ Office to the University of Greenwich, for the serious breach in releasing student information, is a lesson for all Higher Education Providers. 

GDPR is European legislation. It has been adopted by the UK, despite the vote to leave the EU, to allow the UK to take advantage of the Digital Single Market. 

The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development. 

The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500,000 to around £17 million. One of the most significant changes relates to the requirement for consent to be given by individuals for their personal data to be used. 

For example, for direct marketing you must be asked if you wish to receive marketing materials by ‘opting in’, rather than having to ‘opt out’, and there’s also a requirement that personal data is not held for any longer than is necessary. 

The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data. 

Further support

Please do stop and think about how you manage personal data. For more information on GDPR, please read our GDPR overview and guidance document or visit the website of the Information Commissioner’s Office


As part of our GDPR programme, we have reviewed and updated our policies relating to handling data, creating new policies where needed, such as:

  • Data Protection Policy
  • Data Breach Policy
  • Subject Access Request Procedure
  • Data Retention and Erasure Policy
  • GDPR Complaints Policy
  • Data Protection Impact Assessment Policy
  • Photography and Video Policy.

These can be found on the Policies page.