General Data Protection Regulation Compliance

UA GDPR Compliance Programs
what can you do
Webinar Series
References

The General Data Protection Regulation (GDPR) took effect May 25, 2018.  Because of the scope of the regulation, it affects organizations worldwide, including The University of Alabama. The GDPR:

  • Replaced the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
  • Expands personal privacy rights for both EU residents and non-EU citizens while they are located in the EU.
  • Creates a baseline set of standards for organizations that handle certain types of data about individuals located in the EU to better safeguard the processing and movement of that data.
  • Applies to institutions if they control or process covered information, even if those institutions have no physical presence in the EU (irrespective of whether the subject individuals are EU citizens).
  • Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.

This Regulation may have specific implications for your area or department if you collect, process, or store (or uses a third party to collect, process, or store) personal data from individuals in the European Union, even if those individuals are not EU citizens. The GDPR defines “personal data” very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used, directly or indirectly, to identify an individual.

Data Subject Access Request

Submit a question