General Data Protection Regulation (GDPR) Compliance

GDPR Open Forum Presentation

The presentation, held July 26, 2018 at U-M, covered some history, why and when GDPR might apply for U-M, U-M's approach to GDPR, and more.

The General Data Protection Regulation (GDPR) affects organizations worldwide, including universities. The GDPR:

  • Replaces the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
  • Expands personal privacy rights for EU residents and also affects non-EU citizens located in the EU.
  • Mandates a baseline set of standards for organizations that handle certain personal and other data of individuals located in the EU to better safeguard the processing and movement of that data.
  • Applies to institutions with no physical EU presence if they control or process covered information (irrespective of whether the subject individuals are EU citizens).
  • Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.

U-M GDPR Compliance Program

The University Privacy Officer and the Office of General Counsel, along with a working group with representatives from across the university have developed an emerging, risk-based GDPR compliance strategy and GDPR compliance program. The program focuses on managing three aspects of the GDPR compliance process:

  • Lawful data processing
  • Data subject rights
  • Managing contracts

Here are some of the current program activities and deliverables:

  • The GDPR proram team has analyzed 114 survey responses from U-M units with details about data and process flows at U-M.
  • A GDPR register has been created for maintaining the required records of data processing activities, and population of the register is underway.
  • The group has identified and reviewed key U-M privacy statements and is drafting a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices.
  • The U-M Website Privacy Notice has been updated.
  • A GDPR compliance project is underway in Admissions that will inform compliance efforts in additional units. An initial legal assessment of the admissions process has been completed.
  • A GDPR toolkit fo U-M units is under development.

See the U-M GDPR Project Kick-Off Slides (March 8, 2018) for a list of working group members and the initial plans for developing the program. Learn more about the GDPR and its impact on U-M at GDPR Frequently Asked Questions.

What You Can Do

You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the university's GDPR compliance program matures. If you have immediate questions or concerns, send email to gdpr-program@umich.edu.

Articles About the GDPR