The University of Alabama currently is developing a GDPR compliance program. Representatives from a variety of areas across campus have convened a working group to establish priorities and develop compliance tools. If you or your area would like to be a part of this effort, please contact cera@ua.edu for inclusion.
See the UA GDPR Review for an overview of the GDPR requirements and UA’s compliance efforts. Updates to these efforts will be posted here. Currently this group is working to:
- Develop a risk-based GDPR compliance strategy.
- Plan how UA will meet key GDPR compliance requirements.
- Prepare the university to adequately respond to questions and requests related to GDPR.
- Begin implementation of prioritized GDPR requirements.
- Develop recommendations for an ongoing, sustainable GDPR compliance program.
- Develop GDPR compliance resources for use by the university community, including:
- Privacy notices.
- Consent documents.
- Contract guidance.
- Data mapping guidance.
Many of our existing contracts, agreements with third party vendors, or other collaboration agreements may be impacted by this new regulation. As a result, you may see an increase in requests for contract addendums, data protection addendums or agreements, attestations, or other such documents from existing contractual partners. It is important that these documents are reviewed by the appropriate parties to ensure that the University can comply with these new regulations. To facilitate this, Compliance, Ethics and Regulatory Affairs (CERA) will coordinate weekly meetings with Legal and Office of Information Technology officials to review such documents and to recommend any modifications needed. To that end, please direct any contract addendum request, data protection addenda or agreements, attestations, or such documents related to GDPR to cera@ua.edu so that they may be subjected to a review prior to executing the agreement. Please note if the review is time sensitive. The review group meets weekly, typically on Thursdays at 3:30pm, to facilitate rapid returns.
What is GDPR and how does it affect me at UA?
The General Data Protection Regulation (GDPR) took effect May 25, 2018. Because of the scope of the regulation, it affects organizations worldwide, including The University of Alabama. The GDPR:
- Replaced the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
- Expands personal privacy rights for both EU residents and non-EU citizens while they are located in the EU.
- Creates a baseline set of standards for organizations that handle certain types of data about individuals located in the EU to better safeguard the processing and movement of that data.
- Applies to institutions if they control or process covered information, even if those institutions have no physical presence in the EU (irrespective of whether the subject individuals are EU citizens).
- Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.
This Regulation may have specific implications for your area or department if you collect, process, or store (or uses a third party to collect, process, or store) personal data from individuals in the European Union, even if those individuals are not EU citizens. The GDPR defines “personal data” very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used, directly or indirectly, to identify an individual.
What can I do?
It will take some time for organizations around the world to sort through, understand, and determine the best way to meet the GDPR requirements. Watch for more information from the University’s GDPR working group regarding program implementation. If you have immediate questions or concerns, send email to cera@ua.edu.
If you want to learn more about the GDPR, see the links below or do a web search for “General Data Protection Regulation” for additional resources.
- Survey Best Practices for GDPR
- EU Data Protection (European Commission)
- General Data Protection Regulation (Wikipedia)
- E. U. Data Protection Law Looms (Inside Higher Ed)
- The General Data Protection Regulation Explained (Educause)
- EU’s General Data Protection Regulation Resources (GDPR) (AACRAO)
- ICO Guide to the General Data Protection Regulation
What references are available?
EU Article 29 Working Party
- Article 29 Working Party Guidance on Data Portability
- Article 29 Working Party Guidance on Data Protection Officers
- Article 29 Working Party Guidance on identifying the Lead Supervisory Authority
- Article 29 Working Party Guidance on Data Protection Impact Assessments (DPIA)
- Article 29 Working Party Guidance on Personal Data Breach Notification
- Article 29 Working Party Guidance on the Application and Setting of Administrative Fines
- Article 29 Working Party Guidance on Automated individual decision-making and Profiling
- Article 29 Working Party Guidance on Adequacy Referential
- Article 29 Working Party Guidance on Binding Corporate Rules for Controllers
- Article 29 Working Party Guidance on Binding Corporate Rules for Processors
- Article 29 Working Party Guidance on Consent
- Article 29 Working Party Guidance on Transparency
- Article 29 Working Party DRAFT Guidance on Article 49 of the regulation (now closed for public consultation)
- Article 29 Working Party DRAFT Guidance on the accreditation of certification bodies (now closed for public consultation)
- Article 29 Working Party Position Paper on Article 30(5)
- Article 29 Working Party Statement on Encryption
- Article 29 Working Party Recommendation on the Approval of Controller Binding Corporate Rules form
- Article 29 Working Party Recommendation on the Approval of Processor Binding Corporate Rules form
- Opinion 4/2007 on the concept of personal data
The Article 29 Working Party has issued guidelines in draft status on the following subjects: