GDPR Q&A

What is the GDPR?

The GDPR, or General Data Protection Regulation, is the data privacy regulation in the European Union. It governs the collection and processing of personal data of individuals in EU countries as well as Iceland, Norway, and Liechtenstein when the data is collected.    

What is Personal Data?

Under the GDPR, the definition of “personal data” means any information relating to an identified or identifiable natural person (“data subject)” (Article 4). This includes name, email address, IP address, or other factors specific to the physical, physiological, genetic, mental, cultural, economic or social identify of that natural person.

How does the GDPR apply to the University of Minnesota?

The GDPR may apply to certain personal data collected by the University of Minnesota because we engage in business activities that collect or process personal data of individuals in the EU.

How does the University of Minnesota plan to comply with GDPR?

We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the University community as they become available.

How do I know if the GDPR applies to my unit?

If you collect, process or store personal data from individuals who are physically located in the EU, or if you use a third party to collect, process, or store personal data from individuals who are located in the EU, you might be subject to the regulation. Some examples might include information on students either applying or studying in the EU; employees working in the EU; faculty members doing research in the EU; selling goods or services to persons in the EU; or marketing to alumni who reside in the EU.

What should I do if the GDPR applies to my unit?

First of all, don’t panic. The University of Minnesota takes compliance with the GDPR very seriously. Information is being pushed out to those who need to take action. Stay tuned for updates as they occur.

Does the GDPR affect my research?

It might. The collection, storage, and processing of any personal data collected from individuals in the EU must comport with GDPR requirements. Research or other sponsored activities involving the collection of regulated personal data, such as clinical trials with participants in the EU, would thus be affected. The allocation of responsibility for GDPR compliance should be agreed to explicitly with EU collaborators or subrecipients. Consent form content, personal data handling, and reporting (in the event of a breach of confidentiality) are all research and trial areas governed by the GDPR.  

If we are following FERPA or other U.S. federal and state laws, isn’t that enough for the GDPR?

Sadly, no. The GDPR has a different set of requirements than FERPA or any other current state or federal laws. For instance, FERPA only applies to students, and the definition of “education records” does not include much of what is considered personal data under the GDPR.

What are the penalties for non-compliance?

Regulators have a wide range of enforcement tools, ranging from the ability to issue warnings to the imposition of monetary fines. The fines and penalties outlined in the regulation are high: organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 Million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements.  

What should I do if I receive a GDPR contract addendum from a vendor?

Forward the addendum to Paul Savereide ([email protected]) in the Office of the General Counsel.

I keep seeing Data Controller and Data Processor on information sent to me to sign. What is the difference, and how do I know which applies to me?

A Controller is the entity that says how and why personal data is processed, and the Processor is the organization that processes the data on behalf of the Controller. As an example, if you are providing data to a third party or directing others (e.g. students, patients, customers) to provide data to a third party, the University is the Data Controller and the third party receiving the data is the Data Processor.