General Data Protection Regulation (GDPR) and the UK GDPR

What is the General Data Protection Regulation (GDPR)?

The General Data Protection regulation or the GDPR(link is external) is a European Union (link is external)(EU) regulation designed to protect the privacy rights of Individuals in the European Economic Area (EEA)(link is external), which includes the European Union, Iceland, Norway, and Lichtenstein.  It is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations and goes even further than benchmark United States privacy laws governing health care and educational records, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA).

Note: On January 1, 2021, the United Kingdom's UK GDPR rules became effective.  The UK GDPR absorbs the privacy compliance requirements of the EEA's GDPR and combines them with the requirements of the UK's Data Protection Act(link is external).   UC Berkeley complies with both EEA and UK GDPR privacy requirements when applicable.

What does GDPR do?

GDPR (link is external)expands privacy rights for individuals located in the EEA regardless of citizenship. Specifically, it guarantees certain rights, depending on how the data is used:

  • The right to be informed regarding the collection and intended use of a subject’s personal data,

  • The ability to make informed decisions regarding the use and disclosure of the data,

  • The right to access the data upon request or have the data transferred to a third party, and

  • The right to have the data returned or deleted.

It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:

  • Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards,

  • Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad),

  • Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.

Who does GDPR apply to?

GDPR applies to all organizations that are established in the EEA, including higher education institutions (e.g., a study center in Europe). It also applies to organizations not physically in the EEA when goods or services are offered to individuals in the EEA (e.g., applications for admissions), or when the behavior of individuals in the EEA are monitored by individuals either inside or outside of the EEA (e.g., research that includes EU citizens).

Are there penalties for GDPR non-compliance?

Yes, GDPR imposes significant monetary penalties for organizations that do not comply with the regulation.  The fines are up to €20M ($28M) or 4% of global revenue.

What is the UCB Privacy Office doing to comply with GDPR?

The Privacy Office established a Working Group to address issues that are specific to the impact of GDPR at our campus.

The Working Group is comprised of representatives from key sectors likely to be impacted by the regulation and who will drive implementation efforts here at Berkeley, including Privacy, Compliance, Legal Affairs, Information Technology, Security, Risk Management, Insurance Services, and others. The primary goal of the Working Group will be to develop guidelines, processes, and policy changes to be implemented at Berkeley to promote compliance with GDPR.

The Privacy Office is also working closely with the UC Office of the President (UCOP) and the Office of the General Counsel (OGC) in accordance with their system-wide GDPR efforts as listed below.

UC Berkeley's Statement of Privacy Practices - GDPR

UC Berkeley's Statement of Privacy Practices for Persons in the European Economic Area Subject to GDPR explains how we comply with GDPR and indicates your rights regarding your Personal Data

What is the University of California (UC) doing to comply with GDPR?

UC’s compliance, privacy and informational technology organizations ha to developed a GDPR compliance program that is specifically designed to enhance the existing robust privacy infrastructure at UC to ensure compliance with GDPR.

Program activities include:

  • Assessing GDPR's impact on UC programs
  • Developing tools and templates to assist UC programs with GDPR compliance
  • Developing communication tools to provide greater transparency to UC students, employees, and other UC program participants regarding the collection and use of personal data
  • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals
  • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UC

What can I do to prepare my office for GDPR?

  1. Understand GDPR:
  2. Determine if GDPR applies:
  3. Develop a plan:
    • Review Tools & Resources created by UCB, and UCOP,  and start working on a plan for your Department
  4. Stay informed:
    • Review FAQs from UCB, UCOP, and selected external partners
    • Visit GDPR.berkeley.edu regularly for updates

Questions

For questions relating to GDPR and its impact at UCB, please contact the Privacy Office