General Data Protection Regulation (GDPR)

The GDPR protects personal data of all natural persons physically located in the EU (EU data subjects); it is not limited to EU citizens or residents. The GDPR does not protect legal entities like corporations or nonprofits.

Personal data in the context of GDPR means any information that can be used to directly or indirectly identify a natural person. Identifiers such as name, an identification number, location data, online identifier or other factors specific to physical, physiological, genetic, mental, economic, cultural or social identify of that person. Examples may include but are not limited to name and surname, home address, a photograph, email address, identification card numbers, personal phone numbers, location data (e.g., location data function on a mobile phone), Internet Protocol (IP addresses), cookie information, advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies the person (e.g., patient number), and content of exam papers. The GDPR establishes more stringent requirements for “sensitive personal data” which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data regarding health or data regarding a natural person’s sex life or sexual orientation. Data that is anonymized and encrypted or fragmented (pseudonymous) is subject to less stringent requirements.

In general, GDPR is designed to protect data subjects at all stages from collection and use to storage and deletion. In addition to identifying technical security expectations, the GDPR grants specific rights to data subjects that organizations need to consider in planning for compliance with GDPR including the right to:

• Be informed of what data is collected, the legal basis for collecting, how it is used, and who to contact with concerns.
• Request access to their personal data – organization has one month to comply.
• Be forgotten – ability to request data be erased if no longer required for reasons it was collected.
• Restrict processing of their data.
• Rectification (correct inaccurate personal data or complete incomplete personal data).

The GDPR applies to organizations physically established in the EU, as well as organizations based outside of EU if they offer goods or services to or monitor behavior of EU data subjects. No transaction for payment is required. Monitoring behavior includes tracking individuals online to create profiles used to analyze or predict personal preferences, behaviors or attitudes.

Controllers and processors of personal data are required to comply with the GDPR. Controllers are essentially the owners of the data and establish the purposes, uses and methods related to processing of personal data. Processors carry out data processing activities on behalf of and under a controller’s instructions. Processing includes collection, recording, organization, storage, adaptation, use, disclosure by transmission or dissemination, alignment or combination, blocking, erasure, or destruction.

The GDPR was enacted by the EU in April 2016 with an effective date of May 25, 2018.

Organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 Million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements—for example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. GDPR sets forth a tiered approach to fines, however, and a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.

We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the University community as they become available.

GDPR may apply to certain personal data collected by UW‑Madison where we engage in business activities that collect or process the personal data of individuals physically located in the EU. Accordingly, UW–‍Madison is establishing a GDPR compliance program for the campus community. The university is convening a working group led by the Office of Legal Affairs and the Office of Cybersecurity to analyze the GDPR requirements and prepare a comprehensive approach to compliance. Members of the working group will also include representatives from the offices of the Provost, Enrollment Management, International Division, Vice Chancellor for Research and Graduate Education, Human Resources, Business Services, and University Communications.  The working group is also engaging other affiliated entities where appropriate.

Please note that EU implementation and enforcement of the GDPR is in the early stages. The university will monitor how the EU will interpret, apply, and enforce the GDPR over time and will adjust the university’s compliance program as needed.

• Prepared a data survey to send to units that store or process data likely to be affected by the GDPR. The survey asks for details about the data and process flows. Surveys have been sent to targeted units. Additional surveys will be issued to other potentially impacted units in the near future. Returned surveys will be compiled for analysis and legal review.
• Working on a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices. Also consulting directly with individual units regarding customization of privacy statements for affected processes.
• Developing templates (e.g., privacy notices and consent forms).
• Establishing a Data Protection Impact Assessment (DPIA) process for units to assess their data processes for compliance with GDPR.
• Evaluating vendor agreements/requests for language related to GDPR compliance.
• Evaluating how best to maintain the required records of data processing activities.
• Creating a webpage that pulls together the information UW‑Madison units need to comply with the GDPR.

Examples of units that may generate data pools containing EU data subject data:

• Admissions (grad, undergrad, professional, continuing education)
• Distance-delivered services
• Study abroad
• Personnel and Financial systems
• Shared alumni and donor systems
• Faculty research in EU or on EU data subjects

You do not need to do anything immediately. As the working group makes progress on the compliance plan, we will update the university’s GDPR web presence. If you believe you have an immediate GDPR issue to be addressed, please contact Nancy Lynch at the university’s Office of Legal Affairs.

Requirements around the process of collecting data protected by GDPR will not be enforced retroactively. For example, if data subject to GDPR were collected using an old consent form, or without consent, prior to May 25, 2018, UW–‍Madison will not seek consent for this existing data. However, if that data continues to be stored and/or processed by the university, the university is required to meet its obligations as a data controller under GDPR starting on May 25, 2018.