Records Management

General Data Protection Regulation (GDPR)

Information about the University's work to implement new data protection legislation.

Data protection legislation gives rights to people about whom we hold information, and gives us responsibilities regarding that information. Data protection legislation changed on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force replacing the existing Data Protection Act 1998.

The University is currently in the process of implementing the requirements of the General Data Protection Regulation. More information will be published on this website in due course.

You can find information about the changes from the Information Commissioner's Office (ICO). The ICO is the UK regulator who oversees compliance with data protection legislation.

Information Commissioner's Office Guide to the GDPR 

Data Protection Policy

The University Data Protection Policy has been updated.

University of Edinburgh data protection policy

University guidance

We are working on providing updated data protection guidance for staff .

The following new guidance has been produced for staff by the University Data Protection Officer.

Cloud software and services


Data protection breach procedure

Data protection definitions

Data protection handbook

Data Protection Impact Assessment (DPIA)

Data Protection SharePoint Intranet

Direct marketing under data protection law

International transfers

Legal basis for processing

Legitimate interest

Mailing lists and data protection


Privacy notices

Research and the General Data Protection Regulation


A full index of guidance on this website can be found on our guidance list for staff:




Data Protection training