The General Data Protection Regulation (GDPR), which formally took effect May 25, 2018, is intended to affect organizations worldwide, including universities. The GDPR:
- Replaces the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
- Expands personal privacy rights for EU residents and also affects non-EU citizens located in the EU.
- Mandates a baseline set of standards for organizations that handle certain personal and other data of individuals located in the EU to better safeguard the processing and movement of that data.
- Applies to institutions with no physical EU presence if they control or process covered information (irrespective of whether the subject individuals are EU citizens).
- Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.
U-M GDPR Compliance Program
The University of Michigan is developing a GDPR compliance program. The University Privacy Officer and the Office of General Counsel have convened a working group with representatives from across the university. The GDPR team is working to develop a risk-based GDPR compliance strategy and develop recommendations for an ongoing, sustainable GDPR compliance program.
Learn more about the GDPR and its impact on U-M at GDPR Frequently Asked Questions.
The GDPR working group and project team report these recent accomplishments and progress as of August 2018:
- The GDPR project team is analyzing more than 114 survey responses from U-M units with details about data and process flows at U-M.
- Work has begun on an GDPR register for maintaining the required records of data processing activities. Processes to be included in the register have been identified, and a template for recording this information has been completed.
- The group has identified and reviewed key U-M privacy statements and is drafting a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices.
- The U-M Website Privacy Notice has been updated.
- A GDPR compliance project is underway in Admissions that will inform compliance efforts in additional units.
See the U-M GDPR Project Kick-Off Slides (March 8, 2018) for a list of working group members and the initial plans for developing the program.
What You Can Do
You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the university's GDPR working group continues its work. If you have immediate questions or concerns, send email to email@example.com.
Articles About the GDPR
- What Europe’s Tough New Data Law Means for You, and the Internet (The New York Times, 5/6/2018)
- Toolkit to Help University Institutions Prepare for New Data Protection Legislation GDPR (University of Cambridge via EDUCAUSE, 4/24/18)
- Not yet GDPR compliant? Your school is not alone (IT Forum Perspectives, 4/16/18)
- Does GDPR Regulate My Research Studies in the United States? (McDermott Will & Emery, 2/5/18)
- EU Data Protection (European Commission)
- General Data Protection Regulation (Wikipedia)
- MarTech Today’s Guide to GDPR — The General Data Protection Regulation (MarTech Today)
- What is GDPR? Everything you need to know before the 2018 deadline (ITPro, 1/15/18)
- What is GDPR (General Data Protection Regulation)? Understanding and Complying with GDPR Data Protection Requirements (Digital Guardian's Data Insider blog, 1/15/18)
- What You Need to Start Doing Now to Be Ready for GDPR (AdWeek, 2/9/18)