General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), effective May 25, 2018, provides for the regulation and increased enforcement of privacy and security controls of personally identifiable information in the EU. The GDPR applies to organizations outside of the EU when they are offering services or goods in the EU to “data subjects.”
The UA has policies and practices to protect student, employee, and other data subject’s privacy and personal data. Please review the Supplemental Privacy Provisions for Persons in the European Union (“GDPR Supplement to Privacy Statement”) implemented pursuant to Regulation (EU) 2016/679 (“Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data”), effective May 25, 2018.
These EU Privacy Provisions supplement UA’s Privacy Statement, and should be read together with UA’s Privacy Statement. These EU Privacy Provisions are intended to be consistent with the GDPR principles of privacy, fairness, lawfulness, transparency, purpose limitation, accuracy, storage limitation, integrity, and accountability. For more information regarding the GDPR and these principles, please refer to the full text of the GDPR.
The General Data Protection Regulation is a Europe-wide law that came into effect on 25 May 2018, replacing the Data Protection Act of 1998 in the UK. It represents a significant change in data privacy regulation for the EU, placing greater obligations on organizations that handle personal data. It is designed to reshape the way organizations approach data privacy.
The GDPR applies to organizations operating within the EU, as well as to any organizations outside the EU that process data, offer goods or services to, collect data from, or monitor the behavior of individuals in the EU, regardless of the organization’s location. GDPR is intended to affect organizations worldwide, including universities.
The GDPR applies to “personal data” of EU residents. Personal data in the context of GDPR means any information relating to an identified or identifiable living person. An identifiable living person is one who can be directly or indirectly identified in particular by reference to an identifier.
“Personal data” means any information relating to you, recorded in any form that can identify you directly or indirectly, including but not limited to name and surname, date of birth, addresses (including email addresses), personal phone numbers, personal identification or identification card numbers, online identifiers, location data, photographs, ethnicity or cultural identity, or data related to your economic, genetic, psychological, physiological, and social identity.
“EU Personal Data” means personal data you submit or disclose to UA (or to a third party that transfers it to UA for processing) while you are located in the European Union.
The GDPR came into effect on 25 May 2018, replacing the Data Protection Act of 1998.
The GDPR seeks to empower individuals to take control of their personal data, to support organizations’ lawful processing of personal data, and to ensure UK data protection law keeps pace with technological change while bringing continuity to such legal application.
The GDPR contains the following seven key principles, which should be at the heart of the University’s approach to processing personal data when GDPR is applicable:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has published a great deal of useful information about the GDPR, including interpretive analysis, guidance, and self-assessment mechanisms.
The following resources are offered here to help colleges and units understand their business operations, the data the college or unit collects and processes, and the reason for the processing. These understandings are critical first steps to identifying whether the GDPR applies to your activities or not. Additional resources will be added to this site as they become available.
Disclaimer: The information contained in these FAQs are for informational purposes and does not constitute legal advice. Each individual case is different, and advice may vary depending on the situation. Further, the law and policy considerations may change as GDPR is implemented and analyzed in a legal setting.