What is GDPR?
The European Union's General Data Protection Regulation (GDPR) is a new privacy law that governs the use of personally identifiable information. The GDPR grants certain legal rights to people whose personal data is being collected and processed and imposes legal responsibilities on entities that control or process personal data.
Does GDPR affect US-based companies, colleges and universities too?
Although the GDPR is not a US law, it may apply to a number of Georgetown University's activities that involve processing, storage or management of personal information about EU residents. The law is intended to apply to entities like Georgetown that are outside of Europe, and to apply to data about persons located in Europe regardless of whether they are citizens or permanent residents of a European Union country.
In general, the GDPR covers the storage or use of personal data for University functions or activities that 1) take place in the EU; 2) involve outreach to EU residents to offer goods or services; or 3) track EU residents online or involve the control or processing of data relating to EU residents.
What is “personal data” under GDPR?
The GDPR takes a wide view of what constitutes personal data and includes:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What are we doing?
A core group, including members from the Office of General Counsel, Office of Compliance and Ethics, and the University Information Security Office has formed to evaluate and plan for compliance with the GDPR. This group will be working closely with select departments across campus to ensure that we are respecting the newest elements of what’s considered personal data under GDPR.
If you have questions about the GDPR or how it may apply to your department or unit, please contact us at firstname.lastname@example.org.