The European Union’s (EU) General Data Protection Regulation (GDPR) signals a comprehensive, consumer-oriented approach to data privacy. It replaces and significantly expands the Data Protection Directive 95/46/EC which only applied to organizations with an EU physical presence. As a regulation, GDPR is legally binding on all EU member countries and does not require individual member legislation to enact.
One of the key drivers behind creating this new regulation was to harmonize data-protection laws throughout Europe, where the requirements are generally more strict than those in the United States. GDPR may apply to certain personal data collected by UW‑Madison where we engage in business activities that collect or process the personal data of individuals physically located in the EU. Accordingly, UW‑Madison is establishing a GDPR compliance program for the campus community. Answers to questions most commonly asked about GDPR and the UW-Madison are below.
Who is protected under GDPR?
The GDPR protects personal data of all natural persons physically located in the EU (EU data subjects); it is not limited to EU citizens or residents. The GDPR does not protect legal entities like corporations or nonprofits.
How is personal data defined?
Personal data in the context of GDPR means any information that can be used to directly or indirectly identify a natural person. Identifiers such as name, an identification number, location data, online identifier or other factors specific to physical, physiological, genetic, mental, economic, cultural or social identify of that person. Examples may include but are not limited to name and surname, home address, a photograph, email address, identification card numbers, personal phone numbers, location data (e.g., location data function on a mobile phone), Internet Protocol (IP addresses), cookie information, advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies the person (e.g., patient number), and content of exam papers. The GDPR establishes more stringent requirements for “sensitive personal data” which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data regarding health or data regarding a natural person’s sex life or sexual orientation. Data that is anonymized and encrypted or fragmented (pseudonymous) is subject to less stringent requirements.
What is GDPR really designed to do?
In general, GDPR is designed to protect data subjects at all stages from collection and use to storage and deletion. In addition to identifying technical security expectations, the GDPR grants specific rights to data subjects that organizations need to consider in planning for compliance with GDPR. Some of the rights conveyed to data subjects include:
- Right to be informed of what data is collected, the legal basis for collecting, how it is used, and who to contact with concerns.
- Right to request access to their personal data – organization has one month to comply.
- Right to be forgotten – ability to request data be erased if no longer required for reasons it was collected.
- Right to restrict processing of their data.
- Right to rectification (correct inaccurate personal data or complete incomplete personal data).
Who is required to comply with the GDPR?
The GDPR applies to organizations physically established in the EU, as well as organizations based outside of EU if they offer goods or services to or monitor behavior of EU data subjects. No transaction for payment is required. Monitoring behavior includes tracking individuals online to create profiles used to analyze or predict personal preferences, behaviors or attitudes.
Controllers and processors of personal data are required to comply with the GDPR. Controllers are essentially the owners of the data and establish the purposes, uses and methods related to processing of personal data. Processors carry out data processing activities on behalf of and under a controller’s instructions. Processing includes collection, recording, organization, storage, adaptation, use, disclosure by transmission or dissemination, alignment or combination, blocking, erasure, or destruction.
When does the GDPR take effect?
The GDPR was enacted by the EU in April 2016 with an effective date of May 25, 2018.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 Million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements—for example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. GDPR sets forth a tiered approach to fines, however, and a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.
What is UW-Madison doing to comply with GDPR?
We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the University community as they become available.
How does GDPR impact UW-Madison?
GDPR may apply to certain personal data collected by UW‑Madison where we engage in business activities that collect or process the personal data of individuals physically located in the EU. Accordingly, UW-Madison is establishing a GDPR compliance program for the campus community. The university is convening a working group led by the Office of Legal Affairs and the Office of Cybersecurity to analyze the GDPR requirements and prepare a comprehensive approach to compliance. Members of the working group will also include representatives from the offices of the Provost, Enrollment Management, International Division, Vice Chancellor for Research and Graduate Education, Human Resources, Business Services, and University Communications. The working group is also engaging other affiliated entities where appropriate.
Please note that EU implementation and enforcement of the GDPR is in the early stages. The university will monitor how the EU will interpret, apply, and enforce the GDPR over time and will adjust the university’s compliance program as needed.
What has the university done so far and what is planned?
- Prepared a data survey to send to units that store or process data likely to be affected by the GDPR. The survey asks for details about the data and process flows. Surveys have been sent to targeted units. Additional surveys will be issued to other potentially impacted units in the near future. Returned surveys will be compiled for analysis and legal review.
- Working on a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices. Also consulting directly with individual units regarding customization of privacy statements for affected processes.
- Developing templates (e.g., privacy notices and consent forms).
- Establishing a Data Protection Impact Assessment (DPIA) process for units to assess their data processes for compliance with GDPR.
- Evaluating vendor agreements/requests for language related to GDPR compliance.
- Evaluating how best to maintain the required records of data processing activities.
- Creating a webpage that pulls together the information UW‑Madison units need to comply with the GDPR.
Where might UW-Madison have data protected by GDPR?
Examples of units that may generate data pools containing EU data subject data:
- Admissions (grad, undergrad, professional, continuing education)
- Distance-delivered services
- Study abroad
- Personnel and Financial systems
- Shared alumni and donor systems
- Faculty research in EU or on EU data subjects
What should I be doing to address the new GDPR requirements?
You do not need to do anything immediately. As the working group makes progress on the compliance plan, we will update the university’s GDPR web presence. If you believe you have an immediate GDPR issue to be addressed, please contact Nancy Lynch at the university’s Office of Legal Affairs.
Does GDPR apply to data collected prior to the effective date of May 25, 2018?
Requirements around the process of collecting data protected by GDPR will not be enforced retroactively. For example, if data subject to GDPR were collected using an old consent form, or without consent, prior to May 25, 2018, UW-Madison will not seek consent for this existing data. However, if that data continues to be stored and/or processed by the university, the university is required to meet its obligations as a data controller under GDPR starting on May 25, 2018.
The information contained in this FAQ is for informational purposes and does not constitute legal advice. Each situation is unique and advice may vary depending on the specific facts. Further, the law and policy considerations may change as GDPR is implemented and analyzed a legal setting, and the information contained herein may not be updated as needed to maintain accuracy in a changing legal landscape. UW-Madison employees who have questions about this or any other legal issue, should contact the Office of Legal Affairs as noted above.