The General Data Protection Regulation (GDPR) is a European Union (EU) law that focuses on protecting the privacy of personal data for all residents of the EU member states. GDPR demands that you are able to demonstrate compliance with its data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability and individuals' rights provisions, as well as building a workplace culture of data privacy and security.

Main requirements of GDPR

• Breach notification: Individuals must be notified when a breach occurs.
• Right to access: Individuals have a right to verify whether or not their personal data is being processed, where and for what purpose.
• Right to be forgotten: Individuals have the right to request that entities erase their data, stop further dissemination of data, and potentially stop third parties from processing data.
• Data portability: Individuals have the right to receive their personal data concerning them that was previously provided to entities.
• Privacy by design: Entities must implement data protection controls from the onset of designing systems.
• Data Protection Officers: Under certain circumstances, entities must appoint a Data Protection Officer. 

Top

Personal data covered by GDPR

GDPR applies to personal data. This is any information that can directly or indirectly identify an individual and can be in any format.

• Name and surname.
• Home address.
• Email address.
• Location data (for example the location data function on a mobile device).
• Data held by a hospital or doctor that uniquely identifies a person.
• Social Security number/government identifier.
• Internet protocol (IP) address
• Online behavior (cookie ID).
• Advertising identifier of a phone.
• Content of exam paper.
• Profiling and analytics data.

Top

Special categories

The Regulation places much stronger controls on the processing of special categories of personal data. GDPR considers the following to be special categories of personal information.

• Race.
• Religion.
• Political opinions.
• Trade union membership.
• Sexual orientation.
• Health information.
• Biometric data.
• Genetic data.

Top

University activities

With regards to how GDPR will affect how we do things at the university, here are examples university activities could be subject to GDPR.

• Research involving persons living in the EU.
• Data collected by university researchers directly.
• Data collected by entities located in the EU, then transferred and sold to university researchers.
• Processing of data by university for controllers or processors located in the EU.
• university apps marketed to persons living in the EU.
• Internet browsing data/cookies of persons living in the EU.
• University admissions data regarding persons living in the EU.
• Data of persons living in the EU collected during the recruitment process of university staff or faculty.
• Data of university professors teaching abroad.
• Data of university students (for example, those studying abroad).
• Data of persons living in the EU collected during university fundraising efforts.
• University medical records.
• Metadata and logs.
• Mail headers, key card access logs and library records.

Top

Resources

Here are some articles about GDPR:

• Toolkit to Help University Institutions Prepare for New Data Protection Legislation GDPR.
• EU General Data Protection Regulation (GDPR).
• The General Data Protection Regulation Explained.
• Data protection.

For more information about GDPR, please send an email to umd-privacy@umd.edu. 

Top