The University of Arizona has a GDPR Compliance Program to assist in analyzing and complying with the requirements of GDPR. The Chief Information Officer, the University Information Security Office and the Office of General Counsel, in collaboration with the University Compliance Officer, have convened a working group with representatives from across the University.
It will take some time to develop a precise understanding of the GDPR and how it will be interpreted and enforced by the EU and national data protection authorities of its member states. The UA GDPR Compliance Program will monitor EEA communications regarding the regulation and will respond and adjust compliance efforts as needed.
As the GDPR Compliance Program evolves, internal guidance for the UA Community will adapted and communicated via this site. NET ID Login will be required to access internal guidance.
The General Data Protection Regulation is a Europe-wide law that came into effect on 25 May 2018, replacing the Data Protection Act of 1998 in the UK. It represents a significant change in data privacy regulation for the EU, placing greater obligations on organizations that handle personal data. It is designed to reshape the way organizations approach data privacy.
The GDPR applies to organizations operating within the EU, as well as to any organizations outside the EU that process data, offer goods or services to, collect data from, or monitor the behavior of individuals in the EU, regardless of the organization’s location. GDPR is intended to affect organizations worldwide, including universities.
The GDPR applies to “personal data” of EU residents. Personal data in the context of GDPR means any information relating to an identified or identifiable living person. An identifiable living person is one who can be directly or indirectly identified in particular by reference to an identifier.
“Personal data” means any information relating to you, recorded in any form that can identify you directly or indirectly, including but not limited to name and surname, date of birth, addresses (including email addresses), personal phone numbers, personal identification or identification card numbers, online identifiers, location data, photographs, ethnicity or cultural identity, or data related to your economic, genetic, psychological, physiological, and social identity.
“EU Personal Data” means personal data you submit or disclose to UA (or to a third party that transfers it to UA for processing) while you are located in the European Union.
The GDPR came into effect on 25 May 2018, replacing the Data Protection Act of 1998.
The GDPR seeks to empower individuals to take control of their personal data, to support organizations’ lawful processing of personal data, and to ensure UK data protection law keeps pace with technological change while bringing continuity to such legal application.
The GDPR contains the following seven key principles, which should be at the heart of the University’s approach to processing personal data when GDPR is applicable:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The University of Arizona has a GDPR compliance program to assist in analyzing and complying with the requirements of GDPR. The Chief Information Officer, the University Information Security Office and the Office of General Counsel, in collaboration with the University Compliance Officer, have convened a working group with representatives from across the University.
It will take some time to develop a precise understanding of the GDPR and how it will be interpreted and enforced by the EU and national data protection authorities of its member states. The UA will be paying close attention as the law's compliance requirements evolve and will respond and adjust compliance efforts as needed.
GDPR applies to certain personal data collected by UA in circumstances where we
- Engage in business activities that collect or process the personal data of individuals residing in the EU (e.g., foreign student data).
- Engage in business or research activities that collect, process, or provide data relating to an identified or identifiable person to third parties (collaborating researchers, other Universities, processors, etc.).
- A cohort of non-EU students is participating in a semester-long study abroad in Italy, Belgium, and the UK
- A college development office reaches out to UA alumni residing in the EU for a fundraising campaign
- A research consortium in the EU provides the UA with the personal data of EU citizens for research analysis
- A person within the EU applies for admission to, or employment at, the UA
The University of Arizona engaged the help of a consulting firm to help us understand how GDPR affects us. We will be assessing the impacts across campus and developing a GDPR compliance program to assist in analyzing and complying with the requirements of GDPR. Applying a risk-based approach, our initial focus includes the following areas and units:
- Contracts and data-sharing agreements
- Processing activities and data management
- UA Global and Study Abroad
- University research, including UA Health Sciences research and medical research
- Marketing and communications
- Division of Student Affairs & Enrollment Management
- Fundraising/Foundation/Alumni Association
- Division of Human Resources
GDPR compliance resources are being provided to the UA community as they become available.
The GDPR “security principle” is that you process personal data securely by means of “appropriate technical and organizational measures.”
This means you need to consider things like risk, organizational policy, and physical and technical measures. You also need to consider additional security requirements around data processing, which also apply to data processors you may engage on your behalf. Where appropriate, pseudonyms, encryption, or other methods should be used to ensure the confidentiality, integrity, and availability of the systems and the data processed within them. Measures must also enable the restoration of access and availability to the personal data in the event of a physical or technical incident, and these measures must also be tested for effectiveness.
You need to respond to any requests for information from the UA’s GDPR compliance team and fully cooperate in any compliance efforts that this team recommends or requires.
Understanding your business operations, the data your college or unit collects and processes, and the reason for the processing are critical first steps to understanding whether and how the GDPR applies to your activities. To the extent other risk-based assessment activities can be leveraged to include GDPR data privacy concerns, the better positioned you are to address GDPR if and when appropriate.
It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the University's GDPR task force goes about its work.
If you have immediate questions or concerns, email Privacy@email.arizona.edu.
Disclaimer: The information contained in these FAQs are for informational purposes and does not constitute legal advice. Each individual case is different, and advice may vary depending on the situation. Further, the law and policy considerations may change as GDPR is implemented and analyzed in a legal setting.
University GDPR Resources
The following resources are offered here to help colleges and units understand their business operations, the data the college or unit collects and processes, and the reason for the processing. These understandings are critical first steps to identifying whether the GDPR applies to your activities or not. Additional resources will be added to this site as they become available.
Information Commissioner’s Office (ICO) GDPR Resources
The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has published a great deal of useful information about the GDPR, including interpretive analysis, guidance, and self-assessment mechanisms.