Universify and GDPR Compliance

What is the GDPR?

The General Data Protection Regulation (GDPR) imposes strict controls on how all organisations collect and process personal data within the EU and/or the personal data of EU citizens.

The enforcement of the GDPR is overseen by the UK’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of data subjects — the people whose data is being processed — are correctly protected.

Those individuals or institutions which determine the purposes and means of processing personal data are referred to as data controllers under the GDPR, whereas a data processor is responsible for processing data on behalf of the data controller.

The regulation outlines six key principles for organisations that process individuals’ personal information. These are that data shall be:

  • processed lawfully, fairly and transparently
  • collected for specified, explicit, and legitimate purposes
  • adequate, relevant and limited to what is necessary for processing
  • accurate and kept up to date
  • retained only for as long as necessary
  • processed in an appropriate manner to maintain security

What has Universify done to prepare for GDPR?

We’re constantly improving the technical and organisational security measures we have in place to protect your data and are committed to being fully compliant with GDPR. We will also support you with your own compliance obligations regarding any personal data held within Universify.

Here are some of the ways we are committed to GDPR compliance:

Awareness & accountability

We have an institution-wide commitment to compliance with the GDPR. Everyone working at Universify understands what their own responsibilities and those of the institution are.


We have undertaken an audit to clearly document what data we hold, where we hold it, where that data comes from and where it goes. This enables us to keep track of all data and helps us to make the right decisions when it comes to making sure that your data is always protected.


We updated our privacy policy so that you can see exactly how, why and where we may be processing your data, and how long we hold it for and what to do if you don’t think we’re complying with the regulation.

Data processing addendum (DPA)

We’ve made available a DPA for our colleges and other partner institutions to sign. For students, teachers, tutors, and volunteers our privacy policy covers the required terms of data processing under the GDPR and a DPA is not required.

Basis and consent

By joining Universify’s programme you are entering into an agreement which gives us a legitimate basis to process your data, in line with GDPR requirements. In other words, in order for the students to benefit fully from our programme, we need to process some personal data.

However, in order to keep you up to date with our news, we will need your explicit consent. We make sure it’s obvious where and how you can agree to this and you can unsubscribe from these updates at any time.

Your rights

Under the GDPR you have the right to see a full copy of any data we hold about you, and also the right to request that it is fully deleted from our system (although we may be required to keep some records to ensure that you are not contacted in future, or to comply with any legal obligations).

However, to prove that Universify is working towards its charity objectives — outlined in its governing documents — we require personalised student data until every student is 24 years old, or has completed their first university degree, prior to turning 24. When a student reaches that age we will erase their data. All sensitive data, that is not required to track a student’s progress to higher education, such as medical and dietary information, will be deleted after the completion of the residential aspects of our programme. Students may also request the erasure of their data before this time, by emailing info@universifyeducation.com.

We hold teacher information in order to co-ordinate student applications and the delivery of the programme to our students. We will ask teachers to provide contextual information to ensure students meet the eligibility criteria. We also ask for teachers to provide information on student’s attainment at GCSE to allow us to measure the impact of the programme. We will hold teacher information (name, school, email address and phone number) for as long as they act as a lead teacher, or if they ask for us to erase their information by emailing info@universifyeducation.com, if this does not affect students signed up to an existing Universify programme. After two years we will delete the information of any lead teacher we have not had contact with.

The data you provide will be used to make statistical analysis of the impact Universify Education’s programme. Your personal data won’t be made public nor shared with partners without a DPA.

Keeping data secure

We are constantly improving our security measures to keep the information we hold within Universify safe and whenever we work with third parties (sub-processors) to help us provide our service, we ensure that their security processes are as robust as our own.

Contacting us

If you ever want to contact us about GDPR, data protection or to find out more about how we process your data, please feel free to drop an email to info@universifyeducation.com and we will get back to you as soon as possible.

Where can I learn more about GDPR?

The UK Information Commissioner’s Office website is a great resource for GDPR information: https://ico.org.uk