The European Union’s General Data Protection Regulation (GDPR) is a comprehensive and far-reaching privacy law that applies to most entities that handle the personal data of individuals in the European Economic Area (EEA). Its scope is more expansive and its requirements different than most US privacy laws, such as FERPA or HIPAA.
UCF researchers may encounter GDPR when research necessitates direct contact with participants in the EEA, utilizations of EEA databases, and/or collaborating with EEA entities.
Under GDPR, Personal Data goes beyond direct identifiers as GDPR covers any information related to an identified or identifiable natural person (i.e., an individual that is alive). An identifiable natural person is one who can be identified, directly or indirectly. This could include name and ID numbers, but it also includes location data, online identifiers, or any factor related to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Pseudonymized Data is personal data which has undergone pseudonymization. Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Anonymized Data is anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Basic GDPR responsibilities include the following:
- Data Minimization
- only collect and process personal data that is necessary for the project/research
- Maintaining an inventory of the data you handle:
- including where data is stored
- what the data is used for
- who has access to the data
- who your team shares the data with
- what your team will do with the information once the research is done
- Notify Privacy Compliance (Dan LoPresto, dan.lopresto@ucf.edu):
- before transferring GDPR-regulated data across international borders (including in data centers outside the US)
- if you receive any data subject access requests, whereby an individual requests we provide a copy of or delete their personal information
- Notify the Information Security Office (Security Incident Response Team, sirt@ucf.edu): immediately if there�s any incident, accident, unauthorized access, or use of the data.
All members of a research team that may be handling GDPR-regulated data are expected to be trained on the GDPR and its obligations. Please refer to the CITI GDPR training � all modules are required except 4 � GDPR and Data Protection Impact Assessments and 6 � GDPR and Organizational Responsibilities. If you have any questions about GDPR training or requirements, or for project-specific questions regarding data subject to GDPR, please contact UCF�s Privacy Compliance Director, Dan LoPresto at dan.lopresto@ucf.edu.
GDPR Provisions in Contracts
As part of their mission to facilitate university research, the Sponsored Programs � Contracts and Office of Privacy Compliance are collaborating to ensure compliance with applicable foreign and domestic privacy laws. To ensure such requirements are met, the responsible offices intend to coordinate an ancillary review by the Office of Privacy Compliance of agreements with terms that incorporate foreign and domestic privacy laws. The ancillary review will be completed prior to the execution of any such agreement.