Scope of GDPR
1. Are you processing?
Processing means almost anything a research team might do with personal data, including:
- collecting it
- holding or storing it
- retrieving, consulting or using it
- organising or adapting it
- publishing, disclosing or sharing it
- destroying it
2. Does your project involve personal data?
Personal data is information which relates to a living individual who can be identified from that information, whether directly or indirectly, and in particular by reference to an identifier. It includes, for example, a name, an identification number, location data, or an online identifier, such as the IP address, as long as that information can be linked by the University to a living individual. It could also include information that identifies an individual’s characteristics, whether physical, physiological, genetic, cultural or social.
This definition is intentionally broad, and its application to particular types of research data is considered in more detail below. Where there is any doubt, the ICO advises erring on the side of caution with regard to the interpretation of personal data and looking to the flexibility in the application of the data protection principles (see below).