The GDPR is a legal framework that outlines requirements for the collection and processing of personal information of individuals within the European Union (EU).
Although GDPR applies across the EU, each individual country has the ability to make its own small changes. In the UK, the Data Protection Act (2018) makes provision for how the GDPR applies within the UK. However, the Data Protection Act (DPA) also covers other aspects of data protection, not just the UK GDPR provisions. (For further details see the ICO website.)
The GDPR applies to the processing (collection, storage, analysis etc) of personal data. Personal data is information that relates to a living individual who can be identified from that information, whether directly or indirectly, and in particular by reference to an identifier. It includes, for example, a name, an identification number (eg pseudonymised data), location data, audio/video recording or an online identifier, such as the IP address. It could also include information that identifies an individual’s characteristics, whether physical, physiological, genetic, cultural or social. Sensitive personal data (relating to race, ethnicity, sexual orientation, politics, religion, health, trade union membership, genetics, sexual life, biometrics (where used for ID purposes), or criminal activities) is referred to as special category data under the GDPR.
It should generally be obvious whether your project falls within the scope of the GDPR, but this may not always be the case.
For more detailed information, please refer to the University guidance on data protection and research.