What is GDPR?EU Flag

The European Union's General Data Protection Regulation (GDPR) is a comprehensive and sweeping privacy law that applies to most entities that handle the personal data of individuals in the European Economic Area (EEA).  Its scope is more expansive and its requirements different than most US privacy laws, such as FERPA or HIPAA.   

 

 

 

Sun God

Some UC San Diego activities that may potentially be in-scope of the GDPR are:

  • Research
    • Direct contact with participants in the EEA
    • Using EEA databases
    • Collaborating with EEA entities
  • Recruiting and admissions activities
  • Learner analytics
  • Offering classes in EEA, study abroad programs
  • Providing alumni services in EEA
  • Websites directed at individuals in EEA
  • Soliciting from donors in the EEA
  • Concierge medical services
  • Other activities that involve personal data of individuals in the EEA

What is "personal data" under the GDPR?

The GDPR has an expansive view of "personal data."  Beyond direct identifiers, the GDPR covers any information related to an identified or identifiable natural person.  An identifiable natural person is one who can be identified, directly or indirectly.  This could include name and ID numbers, but it also includes location data, online identifiers, or any factor related to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.  

 

What readiness efforts should UC San Diego units undertake? 

Training: 

The GDPR is increasingly used as a model for other privacy regulations around the world, and its principles serve as the basis for the UC San Diego privacy program.  Therefore, all members of the UC San Diego community are highly encouraged to attend an Introduction to Privacy training session, which uses the GDPR as a framework to begin a campus-wide dialogue about privacy and data handling practices.  The training is beneficial for individuals in any role at the University; staff, faculty, students, and administrators are all welcome and encouraged to attend, even if they do not handle data from Europe. 

Self-assessment: 

After attending the training session, units should walk through the GDPR Initial Decision Tool with a group consisting of their leadership, subject matter experts, users, and IT support.  The GDPR does not impact all units equally, and impacted units may undertake substantially different readiness efforts based on their needs and processes.  You may find that some of your practices are in-scope of the GDPR and others aren't.

GDPR Initial Decision Tool

 

Start to Know Your Data:

After completing training and the self-assessment, review the Guiding Principles for Personal Data and begin a conversation with your executives, subject matter experts, users, and IT professionals about your unit's data.  Units should know, at minimum:

  • What data they handle
  • Where the data are
    • Stored
    • Transferred (is there a data flow diagram?)
  • What the data are used for (purpose specification), including secondary purposes and research
  • What retention schedule applies to the data

As good stewards of institutional assets and data, groups should have a basic inventory of the data within their care, whether or not the GDPR applies.  This initial inventory will assist not only with GDPR readiness but with any other data privacy regulation.  This is also the first step for meeting the requirements of the GDPR, which include documentation and ability to respond to data subject requests in a timely manner.  

Check back often for more guidance, tools, resources, and templates from the UC San Diego Privacy Office.

Contact the Privacy Office:

To assist campuses in implementing the GDPR requirements, UCOP’s GDPR team has developed a library of operational tools and legal advisories specifically designed for each required compliance process under GDPR.  These tools and advisories are available on a Box site and have also been organized into a compliance framework that is available internally to all UC employees on the Ethics, Compliance and Audit Services (ECAS) SharePoint site. 

Resources 

For questions regarding GDPR, as well as access to the Box site and/or ECAS GDPR Compliance Framework SharePoint site, please contact the Campus Privacy Office.