What is the GDPR?
The General Data Protection Regulation (GDPR) represents a significant change in data privacy regulation. It replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, provide rights to European Union (EU) citizens regarding data privacy, and reshape the way organizations across the region approach data privacy.
Whose data does the GDPR protect?
The GDPR covers personal information of all natural persons—that is, people, but not legal entities like corporations or nonprofits—physically within the EU ("EU data subjects"). The GDPR makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data.
What constitutes personal data?
Personal data in the context of GDPR means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to, among other things, an identifier such as a name, an identification number, location data, or an online identifier. Examples of personal data include, but are not limited to, name and surname, home address, a photograph, email address (such as firstname.lastname@example.org), identification card numbers, personal phone numbers, location data (for example, the location data function on a mobile phone), Internet Protocol (IP) addresses, cookie IDs, the advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies a person (for example, a unique patient number), and the content of exam papers.
Who does the GDPR affect?
The GDPR applies to organizations located within the EU, and it also states that it applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Put another way, it will attempt to apply to all companies processing and holding the personal data of EU data subjects, regardless of the company’s location.
Do the rules only apply to EU citizens or residents?
Citizenship or residence is not a condition that triggers the application of the GDPR rules, requirements, and rights. GDPR may apply whether you are a EU citizen or not, depending on the circumstances.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 Million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements—for example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, however, and a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning "clouds" will not be exempt from GDPR enforcement.
What does GDPR mean to the University of Michigan?
The University of Michigan is developing a GDPR compliance program to assist in analyzing and complying with the requirements of GDPR. The University Privacy Officer and the Office of General Counsel convened a working group in February 2018 with representatives from Office of General Counsel, Office of Research, International Center, Global Engagement, Academic Innovation, Michigan Medicine Corporate Compliance, Procurement, University Development, Enrollment Management, University HR, and Alumni Association.
It will take a few years for a more precise understanding of how GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. The University of Michigan will be paying close attention to the evolution of the law's compliance requirements over the coming years and will respond as needed.
Why does GDPR apply to the University of Michigan?
GDPR may apply to certain personal data collected by the University of Michigan because, in certain limited circumstances, we engage in business activities that collect or process the personal data of individuals residing in the EU.
What are examples of where GDPR applies and does not apply at U-M?
Examples of when the GDPR may apply at U-M:
- A cohort of non-EU students is participating in a semester-long study abroad in Italy, Belgium, and UK.
- Office of Development is engaged in a fundraising campaign and is collecting donor information from alumni residing in the EU.
- A research consortium in the EU provides the University of Michigan with the personal data of EU citizens for research analysis.
Examples of when the GDPR does not apply at U-M:
- Expatriate research group formed on campus, that is, groups at the university made up of EU citizens who are students at U-M.
- EU faculty are recruited at an academic conference held in Orlando, Florida. In contrast, GDPR would apply if these faculty members were recruited at a conference in Barcelona, Spain.
How does the University of Michigan plan to comply with GDPR?
We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the University community as they become available.
What do I need to do now to prepare for the new GDPR requirements?
You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them. Watch for more information as the university's GDPR working group goes about its work. If you have immediate questions or concerns, send email to email@example.com or visit the university’s GDPR website.
What do I need to do if I receive a pop-up or other notification from a software application or a service provider regarding GDPR compliance?
Pursuant to Delegation of Authority to Bind the University to External Agreements on (SPG 601.24), most University of Michigan employees are not authorized to accept agreements or certify compliance on behalf of the university. Please refer third party notifications related to GDPR compliance to firstname.lastname@example.org.
Does GDPR apply to data collected prior to May 25, 2018 (when the regulation takes effect)?
Requirements around the process of collecting data protected by GDPR will not be enforced retroactively. For example, if data subject to GDPR were collected using an old consent form, or without consent, prior to May 25, 2018, the University of Michigan will not seek consent for this existing data. However, if that data continues to be stored and/or processed by the university, the university is required to meet its obligations as a data controller under GDPR starting on May 25, 2018.
Does the GDPR apply to de-identified data?
The GDPR does not apply to anonymous information.