EU GDPR Frequently Asked Questions
See the overview on GDPR, or answers to individual questions, below.
1. What is EU GDPR?
The European Union General Data Protection Regulation (GDPR) represents a significant change in data privacy regulation for the European Union (EU). It replaces the Data Protection Directive 95/46/EC and is designed to provide rights to individuals within the EU regarding data privacy, and reshape the way organizations across the region approach data privacy.
2. Who does GDPR affect?
The GDPR applies to organizations located within the EU, and it also applies to organizations located outside of the EU if they offer goods or services to, collect data from, or monitor the behavior of individuals in the EU, regardless of the organization’s location. It is intended to affect organizations worldwide, including universities.
3. What constitutes personal data?
Personal data in the context of GDPR means any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, or an online identifier. Examples of personal data include, but are not limited to, name and surname, home address, a photograph, email address (such as email@example.com), identification card numbers, personal phone numbers and location data.
4. When does the GDPR take effect?
The GDPR will take effect for businesses outside the EU that process data on EU citizens on May 25, 2018.
5. What does GDPR mean to the University of Arizona?
The University of Arizona is developing a GDPR compliance program to assist in analyzing and complying with the requirements of GDPR. The Chief Information Officer, the University Security Office and the Office of General Counsel have convened a working group with representatives from across the university.
It could take a few years to develop a more precise understanding of how GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. The UA will be paying close attention to the evolution of the law's compliance requirements over the coming years and will respond and adjust compliance efforts as needed.
6. Why does GDPR apply to the University of Arizona?
GDPR may apply to certain personal data collected by UA because, in certain circumstances, we engage in business activities that collect or process the personal data of individuals residing in the EU.
7. What are some examples of where GDPR applies at UA?
- A cohort of non-EU students is participating in a semester-long study abroad in Italy, Belgium, and UK.
- Office of Development is engaged in a fundraising campaign and is collecting donor information from alumni residing in the EU.
- A research consortium in the EU provides the UA with the personal data of EU citizens for research analysis.
- A person within the EU applies for admission to, or employment at, the UA
8. How does the University of Arizona plan to comply with the new GDPR requirements?
We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the UA community as they become available.
9. What do I need to do to prepare for the new GDPR requirements?
You need to respond to any requests for information from the UA’s GDPR compliance team and fully cooperate in any compliance efforts that are recommended or required by the compliance team. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the university's GDPR working group goes about its work. If you have immediate questions or concerns, send email to Tom Bourgeois at firstname.lastname@example.org.
The information contained in this FAQ is for informational purposes and does not constitute legal advice. Each individual case is different, and advice may vary depending on the situation. Further, the law and policy considerations may change as GDPR is implemented and analyzed a legal setting, and the information contained herein may not be updated as needed to maintain accuracy in a changing legal landscape.