General Data Protection Regulation (GDPR)

What is the General Data Protection Regulation (GDPR)?

The General Data Protection regulation or the GDPR is a European Union (EU) regulation designed to protect the privacy rights of Individuals in the European Economic Area (EEA), which includes the European Union, Iceland, Norway, and Lichtenstein.  It is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations.

What does GDPR do?

GDPR expands privacy rights for individuals located in the EEA. Specifically, it guarantees certain rights, depending on how the data is used:

  • The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;

  • The right to make informed decisions regarding the use and disclosure of the data;

  • The right to access the data; and

  • The right to have the data returned or deleted.

It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:

  • Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards;

  • Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad);

  • Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.

Who does GDPR apply to?

GDPR applies to all organizations that are established in the EEA, including higher education institutions (e.g., a study center in Europe). It also applies to organizations not physically in the EEA when goods or services are offered to individuals in the EEA (e.g., applications for admissions), or when the behavior of individuals in the EEA are monitored by individuals either inside or outside of the EEA (e.g., research that includes EU citizens).

Are there penalties for GDPR non-compliance?

Yes, GDPR imposes significant monetary penalties for organizations that do not comply with the regulation.  The fines are up to €20M ($28M) or 4% of global revenue.

What is the UCB Privacy Office doing to comply with GDPR?

The Privacy Office established a Working Group to address issues that are specific to the impact of GDPR at our campus.

The Working Group is comprised of representatives from key sectors likely to be impacted by the regulation and who will drive implementation efforts here at Berkeley, including Privacy, Compliance, Legal Affairs, Information Technology, Security, Risk Management, Insurance Services, and others. The primary goal of the Working Group will be to develop guidelines, processes, and policy changes to be implemented at Berkeley to promote compliance with GDPR.

The Privacy Office is also working closely with the UC Office of the President (UCOP) and the Office of the General Counsel (OGC) in accordance with their system-wide GDPR efforts as listed below.

What is the University of California (UC) doing to comply with GDPR?

UC’s compliance, privacy and informational technology programs are working together to develop an effective GDPR compliance program. This program is specifically designed to enhance the existing robust privacy infrastructure at UC to ensure compliance with this new regulation.

Program activities include:

  • Assessing how GDPR will affect UC programs
  • Developing tools and templates to assist UC programs with GDPR compliance
  • Developing communication tools to provide greater transparency to UC students, employees, and other UC program participants regarding the collection and use of personal data
  • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals
  • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UC

What can I do to prepare my office for GDPR?

  1. Learn which countries are covered under GDPR
  2. Familiarize yourself with GDPR:
  3. Read a few common scenarios that would require UCB to comply with GDPR
  4. Use the UCB GDPR Applicability Decision Tool 
  5. Use the UCB GDPR Checklist for Higher Education
  6. Review tools & resources and FAQs from UCB, UCOP, and selected external partners and start working on a plan for your office
  7. Stay tuned.  GDPR.berkeley.edu will be updated regularly

Questions

For questions relating to GDPR and its impact at UCB, please contact the Privacy Office