Records Management

General Data Protection Regulation (GDPR)

Information about the University's work to implement new data protection legislation.

Data protection legislation gives rights to people about whom we hold information, and gives us responsibilities regarding that information. Data protection legislation changed on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force replacing the existing Data Protection Act 1998.

The University is currently in the process of implementing the requirements of the General Data Protection Regulation. More information will be published on this website in due course.

You can find information about the changes from the Information Commissioner's Office (ICO). The ICO is the UK regulator who oversees compliance with data protection legislation.

Information Commissioner's Office Guide to the GDPR 

Data Protection Policy

The University Data Protection Policy has been updated.

University of Edinburgh data protection policy

University guidance

We are working on providing updated data protection guidance for staff .

The following new guidance has been produced for staff by the University Data Protection Officer.

Legal basis for processing


Legitimate interest

Data Protection Impact Assessment guidance

Customising your privacy notice

Mailing lists and data protection

Data protection breach procedure

Direct marketing under data protection law

Research and the General Data Protection Regulation

Research data protection impact assessment

Data protection definitions

Data protection handbook

Our existing guidance is being reviewed and updated. A complete list of data protection guidance can be found on our website.

Index of data protection guidance