General Data Protection Regulation (GDPR) Compliance

GDPR Open Forum July 26

Learn more about GDPR compliance at U-M at a GDPR Open Forum on July 26, 2018, 9–11 a.m., at the Rackham Amphitheater.

The General Data Protection Regulation (GDPR), which formally took effect May 25, 2018, is intended to affect organizations worldwide, including universities. The GDPR:

  • Replaces the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
  • Expands personal privacy rights for EU residents and also affects non-EU citizens located in the EU.
  • Mandates a baseline set of standards for organizations that handle certain personal and other data of individuals located in the EU to better safeguard the processing and movement of that data.
  • Applies to institutions with no physical EU presence if they control or process covered information (irrespective of whether the subject individuals are EU citizens).
  • Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.

U-M GDPR Compliance Program

The University of Michigan is developing a GDPR compliance program. The University Privacy Officer and the Office of General Counsel have convened a working group with representatives from across the university.

Learn more about the GDPR and its impact on U-M at GDPR Frequently Asked Questions.

Program Status

The GDPR working group reports these recent accomplishments and progress as of May 2018:

  • Sent a data survey to those in units that store or process data likely to be affected by the GDPR. The survey asks for details about the data and process flows. As of late May 2018, more than 90 surveys have been submitted to the U-M GDPR project team for compilation, analysis, and legal review.
  • Work has begun on an GDPR register for maintaining the required records of data processing activities.
  • The group has begun work on a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices.
  • An updated U-M Website Privacy Notice was published on the U-M home page May 24, 2018. Additional updates are likely later this summer. (See the Privacy Notice link at the bottom of the page.)

Program Plans

See the U-M GDPR Project Kick-Off Slides (March 8, 2018) for a list of working group members and the initial plans for developing the program. The group is making good progress on the following:

  • Develop a risk-based GDPR compliance strategy.
  • Plan how U-M will meet key GDPR compliance requirements.
  • Prepare the university to adequately respond to questions and requests related to GDPR.
  • Begin implementation of prioritized GDPR requirements.
  • Develop recommendations for an ongoing, sustainable GDPR compliance program.
  • Make GDPR compliance resources available to the university community, such as:
    • Data flow documentation for processes affected by the GDPR
    • Privacy statements for affected processes
    • A set of templates and tools that allow process owners to assess their processes and comply with key GDPR requirement.
    • A website that pulls together the information U-M units need to comply with the GDPR

What You Can Do

You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the university's GDPR working group goes about its work. If you have immediate questions or concerns, send email to

Articles About the GDPR