General Data Protection Regulation
The European Union (EU) General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the EU. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy
This Regulation applies to the processing of personal data:
- in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not
- of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or
- the monitoring of their
behaviouras far as their behaviourtakes place within the Union
- by a controller not established in the European Union, but in a place where Member State law applies by virtue of public international law
Member Countries of the EU
Comply with the GDPR
As of May
If you process personal data about EU residents:
Note: Personal data
Complete the GDPR Questionnaire so the Iowa State GDPR Working Group can assist in protecting, encrypting, and anonymizing personal data.
More tools to help you get ready for GDPR.
- Lynda.com GDPR Training
Log in to Lynda.com and search "GDPR" to browse training tutorials to help you learn more about the GDPR.
What constitutes personal data?
Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person.
Examples of Personal Data:
- Personal details such as name, title, address, telephone number, e-mail address, marital status, nationality, date of birth, sex and gender identity, ID Photograph, household income, parental status, and details of dependants
- Emergency contact information
- National Insurance number (where you have voluntarily provided it)
- Education and employment information (including the school(s), sixth form college(s) and other colleges or universities you have attended and places where you have worked, the courses you have completed, dates of study and examination results)
- Other personal background information collected during the admissions process, e.g. whether you have been in care, your socio-economic classification and details of your parents’ occupation and education
- Examination records (including records relating to assessments of your work, details of examinations taken, and your predicted and actual examination grades)
- Information captured in your student record including progression, achievement of milestones and progression reports
- Visa, passport and immigration information
- Banks details, fees and financial support record (including records relating to the fees paid, student loan company transactions and financial support, scholarships, and sponsorship)
- Supervision, teaching, and tutorial activities
- Training needs analysis and skills acquisition records
- Placement and internship record or study at another institution as an established component of your course of studies, or career development opportunity
- Information about your engagement with the Language Centre, Careers Support, University
sportfacilities andthe Counselling Service
- Information about your use of library facilities, including borrowing and fines
- Information about your use of facilities and collections provided by the University’s museums and Botanic Garden
- Information about disciplinary actions (including academic misconduct), dispensations from regulations, and about any appeals and complaints raised
Attendance at University degree and award ceremonies
- Information about your use of our information and communications systems, including CCTV and building access information
- Posts on social networking websites and computer IP address
Examples of 'Special Category' (i.e., sensitive) Personal Data:
- Information about your race or ethnicity and religious beliefs
- Information about your health, including any disability and/or medical condition
- Information about criminal convictions and
offences, including proceedings or allegations
What is the EU-US privacy shield and how does it affect the GDPR?
The EU-US Privacy Shield is a framework for exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to allow US companies to receive personal data from EU organizations more
We know that the GDPR influences any entity that works with EU citizens, even if the entity did not collect the data. Taking into consideration the interconnected and vast online environment, it is obvious the GDPR has immense implications in many sectors and for many businesses. There are significant differences in how the US and the EU perceive privacy. The Article 29 Working Party has issued their opinion on a wide variety of issues from
When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by
Who does the GDPR affect?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Whether you are selling goods, processing their data when they create an account on your
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting
What is the difference between a data processor and a data controller?
A controller is
- Obligations for Data Processors
- As a data processor, you are able to process data only according to the controller's requirements, specified in the controller/processor contract. As a consequence, data processors need to comply with many of the data controllers' obligations
- The processor is obliged to inform the controller about any new sub-contractors (sub-processors), and to reflect the obligations he has with the controller in his contract to the sub-contractor.
- He is obliged to inform the controller if any of the instructions in the contract breach GDPR.
- Processors must keep track of all the categories of the processing activities.
- Data processors are obliged to inform the controllers in the event of a data breach, in the shortest time after becoming aware of it.
- Both data processors and controllers are obliged to appoint a Data Protection Officer (DPO) in situations such as when their activities require regular monitoring of data subjects on a large scale, or when they involve large amounts of sensitive data (e.g., criminal
- Obligations for Data Controllers
- As a data controller, you can only select data processors, which provide proof that they can perform their processing duties in compliance with the GDPR.
- Data controllers, as well as
processorsmust implement security measures appropriate to the GDPR, depending on the data.
- Data controllers are obliged to inform data subjects in the event of a breach in the case the breach is "likely to affect" them (e.g., name, e-mail address), and to inform both data subjects and the Data Protection Authority (DPA) if the breached data contains also monetizable data (e.g., bank account number) in maximum 72 hours.
- All in all, per article 24 of the GDPR, data controllers are responsible for ensuring that any processing activities they perform follow the GDPR.
Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?
Consent has always been important for data processing. Under the GDPR consent becomes harder to get and easier to revoke. The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but this will not be below the age of 13.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve.
Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case
What are the tasks of the Data Protection Officer?
One of the first tasks of the Data Protection Officer is to inform and advise the organization of their obligations as per the Regulation and any other local privacy provisions. Also, the DPO will be responsible
Will the GDPR set up a one-stop-shop for data privacy regulation?
The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle, the Parliament also promotes a lead DPA and adds more involvement from other concerned
How can encryption help you?
The EU GDPR puts a strong emphasis on data protection, encouraging security ‘by design and by default’. This said, how exactly to implement security and data protection is for each organization to decide. Expectations are that companies will follow current best practices. For instance, encryption and
How does the GDPR affect policy surrounding data breaches, and what to do in case of a data breach?
A data breach means the security of personal data has been compromised and it usually leads either to its loss, alteration or unauthorized disclosure. In case of such a
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. If the data breach presents a risk to the rights and freedom of the individual, you must also notify those directly affected, not just the supervisory authority. Data processors should notify the controllers “without undue delay” after becoming aware of the breach. Data controllers should notify the supervisory authority within 72 hours of becoming aware of the breach. However, you might be saved by the security methods you use. If the data
When you do notify a breach, there are certain
Is security mandatory under GDPR?
Security is not mandatory under the
Encryption vs Tokenization: Which is better and when to use them?
Encryption has almost become a standard under the GDPR, as it is a widely known security method and its use helps organizations comply
So, encryption vs. tokenization? Is one better than the other? The question is similar to those aiming to compare one or more security algorithms to find which one is better. While some might stand out more often, the best solution
For questions, e-mail the Iowa State GDPR Working Group.