General Data Protection Regulation (GDPR) Compliance

About the GDPR

The General Data Protection Regulation (GDPR) affects organizations worldwide, including universities. The GDPR:

  • Replaces the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
  • Expands personal privacy rights for EU residents and also affects non-EU citizens located in the EU.
  • Mandates a baseline set of standards for organizations that handle certain personal and other data of individuals located in the EU to better safeguard the processing and movement of that data.
  • Applies to institutions with no physical EU presence if they control or process covered information (irrespective of whether the subject individuals are EU citizens).
  • Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.

Learn more about the GDPR and its impact on U-M at GDPR Frequently Asked Questions.

U-M GDPR Compliance Program

The university's GDPR compliance program focuses on these aspects of the GDPR compliance process:
 

  • Lawful processing of personal data. The GDPR requires that personal data be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The program engages with units to assess U-M processes that collect or process the personal data of individuals residing in the EU. It also maintain a register of processing activities that have been determined to require compliance with the GDPR.
  • Data subject rights. Data subjects have a number of rights under the GDPR, including the right to see information about the processing of their personal data, obtain access to own personal data, and request that the data be corrected or erased. In support of these rights, the program provides privacy notices and templates (see GDPR Toolkit) and manages requests from data subjects.
  • Contract management. The program maintains addenda regarding GDPR compliance to include in contracts with third-party providers that collect and/or process personal data. These addenda have been provided to Procurement Services, which works with units to include them where needed.
  • Data breach management. In the event of a breach of personal data covered by the GDPR, the program has the responsibility for notifying data protection authorities and data subjects as outlined in the GDPR.
  • Education and outreach. The program regularly engages in activities and outreach in support of privacy protection across U-M and peer institutions.

The program is managed by the Chief Information Security Officer and the Office of the General Counsel and supported by a group of representatives from across the university.

GDPR Toolkit

Contact Us

Direct questions or concerns to [email protected].