If your U-M unit collects and uses personal data, use this toolkit to assess your processes and address General Data Protection Regulation (GDPR) requirements. This toolkit is part of GDPR Compliance at U-M.
First, Determine if GDPR Applies
Answer two questions to help you determine whether the GDPR applies to your data. See Assessment: Does GDPR Apply?
If you believe the GDPR applies to the non-research data you are collecting and processing, please provide additional information to the university's Privacy Office by completing the GDPR Data Survey (U-M Google Form; U-M login required).
If the data you collect is used for research purposes, please contact the IRB Health Sciences and Behavioral Sciences (HSBS) at email@example.com. Michigan Medicine researchers, please contact firstname.lastname@example.org.
Privacy Statements, Notices, and Templates
The University of Michigan recognizes and values the privacy of the university community members and its guests. Our privacy statement and notice reflect our commitment to privacy and comply with the GDPR.
- U-M Privacy Statement (a general statement on how the university protects privacy)
- U-M Website Privacy Notice (specific to the umich.edu website)
U-M units and departments are encouraged to clearly disclose the collection and processing of personal information in a timely manner using these tools:
General Consent Language
We have worked with the Institutional Review Board for Health Sciences and Behavioral Sciences (IRBHSBS) to provide GDPR-compliant consent language as appropriate. Please work with your IRB to obtain the latest version, as applicable and as necessary.
If you need specific consent language for a non-IRB-related website, form, or other project, contact us at email@example.com, and we will help you craft GDPR-compliant language.
Standard GDPR addenda are available for you to include in U-M contracts as needed. Work with Procurement Services to ensure your contracts address GDPR requirements where appropriate.
If you have questions or need help with the GDPR Toolkit, send email to firstname.lastname@example.org.