What is GDPR?

GDPR is the General Data Protection Regulation that went into effect on May 25, 2018 and applies to entities that handle the personal data of individuals in the European Economic Area (EEA)1. GDPR strengthens the rights of individuals and significantly increases fines for non-compliance. GDPR Simplified provides a general overview of the regulation as well as steps departments should take if they are processing personal data from individuals in the EEA.

What is “personal data” under the GDPR?

The GDPR greatly expands the definitional scope of “personal data” from traditional identifiers such as name and social security number to include information such as location, IP address, and information specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person. (Chapter 1, Article 4.1)

What is “processing data” under the GDPR?

“Processing” under the GDPR includes

  • Collection
  • Recording
  • Organization
  • Storage
  • Alteration
  • Retrieval
  • Use
  • Disclosure
  • Dissemination
  • Erasure
  • Destruction

(Chapter 1, Article 4.2)

What departments may be affected?

Departments potentially affected by the regulation include:

  • Recruiting and Admissions Activities
  • Education Abroad
  • Alumni
  • Development
  • Research
    • Direct contact with participants in the EEA
    • Using EEA databases
    • Collaborating with EEA entities
  • Websites directed to individuals in the EEA
  • Leaner Analytics (when participants are in the EEA)
  • Other campus activities that involve the personal data of individuals in the EEA

If GDPR may affect my department, what do I do?

If you believe your department may process the personal data of individuals in the EEA, look at GDPR Simplified to get a quick overview of the regulation and then take this online survey to assess whether your department has personal data likely affected by the GDPR. If you find you are likely subject to the GDPR, or if you are unsure, please contact the campus Privacy Officer. UC Resources are available to identify personal data subject to the GDPR as well as to comply with GDPR; the campus Privacy Officer will connect your department with these resources upon request.

How may a data subject in the EEA exercise their rights under GDPR?

If you are a data subject in the EEA and want to exercise your rights under the GDPR (Chapter III, Articles 12-23), please fill out this form and return it to the campus Privacy Officer.

1 The EEA includes those countries that make up the European Union as well as Iceland, Liechtenstein, and Norway.