General Data Protection Regulation (GDPR)

What is GDPR?

The GDPR, or General Data Protection Regulation, is a European Union (EU) law that protects the privacy of EU residents and imposes certain restrictions and obligations on organizations that process the “personal data” of people who reside in the EU (permanently or temporarily). Though not a US law, the GDPR applies to US institutions that operate in the EU, offer goods or services to EU residents, or process the personal data of EU residents. 

What is Personal Data?

The GDPR takes a wide view of what constitutes personal data. Under GDPR, personal data includes, but is not limited to:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

How does it affect Georgetown University?

When Georgetown collects or processes the personal data of people residing in the EU during the course of offering education, conducting research, managing staff, or in connection with other activities, it may be subject to the regulatory requirements of the GDPR. 

How has the university responded to the upcoming changes?

Within the past year, Georgetown has convened a GDPR Working Group to review and assess the GDPR and its impact on the University. The Working Group is working with multiple campus groups to address the protection of our community’s data:

  • Surveying the community
  • Prioritizing our compliance efforts
  • Developing new privacy notices
  • Amending language in admissions, financial aid, human resources and research materials
  • Updating contractual language

This is an ongoing effort and we appreciate your cooperation, assistance and patience as we address all the components of this new regulation.

If you have questions about the General Data Protection Regulation, please contact the Working Group at