GDPR Fundamentals

The European Union's General Data Protection Regulation (GDPR) is a comprehensive and far-reaching privacy law that applies to most entities that handle the personal data of individuals in the European Economic Area (EEA). Its scope is more expansive and its requirements different than most US privacy laws, such as FERPA or HIPAA.

UCF researchers may encounter GDPR when research necessitates direct contact with participants in the EEA, utilizations of EEA databases, and/or collaborating with EEA entities.

Under GDPR, Personal Data goes beyond direct identifiers as GDPR covers any information related to an identified or identifiable natural person (i.e., an individual that is alive). An identifiable natural person is one who can be identified, directly or indirectly. This could include name and ID numbers, but it also includes location data, online identifiers, or any factor related to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Pseudonymized Data is personal data which has undergone pseudonymization.  Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Anonymized Data is anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Basic GDPR responsibilities include the following:

  1. Data Minimization
    • only collect and process personal data that is necessary for the project/research
  1. Maintaining an inventory of the data you handle:
    • including where data is stored
    • what the data is used for
    • who has access to the data
    • who your team shares the data with
    • what your team will do with the information once the research is done
  1. Notify Privacy Compliance (Dan LoPresto,
    • before transferring GDPR-regulated data across international borders (including in data centers outside the US)
    • if you receive any data subject access requests, whereby an individual requests we provide a copy of or delete their personal information
  1. Notify the Information Security Office (Security Incident Response Team, immediately if there’s any incident, accident, unauthorized access, or use of the data.


All members of a research team that may be handling GDPR-regulated data are expected to be trained on the GDPR and its obligations. Please refer to the CITI GDPR training – all modules are required except 4 – GDPR and Data Protection Impact Assessments and 6 – GDPR and Organizational Responsibilities. If you have any questions about GDPR training or requirements, or for project-specific questions regarding data subject to GDPR, please contact UCF’s Privacy Compliance Director, Dan LoPresto at

GDPR Provisions in Contracts

As part of their mission to facilitate university research, the Sponsored Programs – Contracts and Office of Privacy Compliance are collaborating to ensure compliance with applicable foreign and domestic privacy laws. To ensure such requirements are met, the responsible offices intend to coordinate an ancillary review by the Office of Privacy Compliance of agreements with terms that incorporate foreign and domestic privacy laws. The ancillary review will be completed prior to the execution of any such agreement.

Serving Faculty

The Office of Research serves UCF scholars as the official liaison between UCF and funding sources and by helping faculty work through the proposal and contract management process.

This site includes information to assist university scholars through the announcement, application and post-award stages and to familiarize prospective partners with the breadth of funded research conducted at the university.

UCF is committed to the pursuit of excellence and intellectual growth and seeks to excel at moving ideas to innovation and realization. The Carnegie Foundation rates UCF as a "very high research activity" university. We’ve been on an upward trajectory for years and in 2021 UCF surpassed the $212.9 million dollar mark in external funding. UCF's pioneering efforts to commercialize technology continue to stimulate local economies throughout the state. The number of patents at UCF also continue to climb with 64 U.S. issued patents produced in 2021.

Budget Templates

Below you will find NIH and NSF budget templates. Although they are tailored for NIH or NSF, they can be used for developing your budget for any funding source.