General Data Protection Regulation

What is the General Data Protection Regulation (GDPR)?

The European Union’s (EU) General Data Protection Regulation (GDPR) is a new privacy law that went into effect on May 25, 2018.  It governs the use of personally identifiable information obtained in the EEA (European Economic Area - the EU and certain other member countries). The GDPR provides legal rights to people who are in the EEA when their personal data is collected and processed.  GDPR imposes legal obligations on entities that control or process personal data collected in the EEA.

Note: GDPR only applies to data collected after the effective date (May 25, 2018).

What does the GDPR do?

GDPR expands privacy rights for individuals whose personal data has been obtained in the EEA, regardless of the citizenship of the individuals.  It provides certain rights, depending on how the data is used and who is using it. Subject to exceptions, the basic GDPR rights are:

  • The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
  • The right to make informed decisions regarding the use and disclosure of the data;
  • The right to access the data; and
  • The right to have the data returned or deleted

 

The EEA intends for GDPR to govern data obtained in the EEA, even when that data is transferred to, or used in countries outside the EEA.  The basic GDPR framework for safeguarding use of personal data is as follows:

  • Ensuring the data is collected, transferred, processed, stored and disposed using appropriate technical safeguards;
  • Limiting the use of data for purposes that comply with GDPR requirements for lawful processing. (e.g., by consent, by public authority, in the organization’s legitimate interest).
  • Requiring third parties that are not directly subject to EEA law to adopt GDPR protections and safeguards for protection of data originating from the EEA. This will generally be done through contract language or other agreements.  Third parties outside the EEA must ensure they accept only those GDPR provisions that are applicable to the specific circumstances and that can reasonably be implemented by the entity.

Who are data subjects affected by GDPR?

GDPR protects personal data obtained from individuals when they are located in the European Economic Area (EEA).  EEA includes the EU countries and Iceland, Norway and Lichtenstein.  When GDPR is discussed, “EU” is sometimes used as shorthand for all countries in the EEA.

See the list of EEA countries below

To whom does GDPR apply?

In general, GDPR covers recording, storage, internal use, external disclosure, and transfer of personal data obtained in the EEA, from individuals, when that data is identifiable and used for functions or activities that:

(1) take place in the EEA (e.g., a clinical trial conducted in France);

(2) involve specific intent to reach people in the EEA with an offer of goods or services (e.g., a solicitation from UMB to enroll students in a program conducted in Baltimore, where the solicitation is made in Italian, directed to Italian mailing addresses or e-mail addresses and, applicants respond by providing individually identifiable data to a UMB Italian language website while they are located in Italy);

(3) monitor the identifiable behavior of individuals who are located in the EEA while online or that involve the control or processing of identifiable data relating to people in the EEA (e.g., research that studies behavior data of identifiable individuals recorded on security cameras located in the EEA).

What are the areas and types of data likely to be impacted by GDPR?

GDPR covers personal data of people physically within the EEA:

 

  • GDPR makes no distinction based on a person’s permanent residence or nationality. GDPR applies to personal data if the data is collected while the person is physically in the EEA.
  • Personal data in the context of GDPR means information relating to an identified or identifiable person. An “identifiable person” is one who can be identified by reference to other information such as an identification number, demographics, biometrics or location
  • Examples of personal data include name, address, date of birth, photograph, email address, phone number, location data (e.g., from a cellphone), Internet Protocol (IP) address, internet cookie file, or medical record number. 

GDPR generally does not apply to the following areas/types of data:

  • Data about legal entities, like corporations or non-profit organizations.
  • Data on clinical care conducted in the United States including treatment, payment and health care operations in the U.S.;
  • Data on clinical research conducted in the United States, where study participants are not specifically targeted for recruitment from the EEA;
  • General marketing, where goods or services are not specifically targeted to individuals in the EEA
  • Fully de-identified data that cannot be re-identified.

List-in-progress of areas at UMB that may be affected by GDPR.

*Information will be updated as the process of research, analysis and review continues.   

Note: GDPR only applies to data collected after the effective date (May 25, 2018).

 

Grants, Contracts

&

Strategic Sourcing

Sponsored research agreements, clinical trial agreements, contracts, subcontracts, collaboration MOU’s, data sharing agreements, etc., may need to be updated with GDPR terms pertaining to work which involves personally identifiable data obtained from EEA, e.g., data from UMB researchers working in EEA counties; data from research collaborators in EEA countries, data from universities, medical centers, public health authorities, industry sponsors and other entities in EEA countries.  

Students

Personally identifiable data obtained from enrolled and former students if the data is provided to UMB while the individual is located in the EEA and the data is more than “incidental.”  Data from prospective students, if from an individual who is in the EEA and responding to outreach specifically targeting persons in the EEA.

Research

Research being conducted with data subjects who are located in the EEA;  identifiable data obtained from collaborators, research institutions, universities, medical centers, public health authorities, industry sponsors and other entities in EEA countries.

Employment

Identifiable data from persons who perform UMB employment in EEA countries.   Responses to recruitment efforts specifically targeted to persons in the EEA, to the extent the data is obtained by UMB while the individual is located the EEA.  

Fundraising, Development & Marketing

Mailing lists of alumni and donors, grateful patients, conference attendees and newsletter subscribers, to the extent data is collected in relation to provision of goods or services and individuals are submitting data to UMB from the EEA in response to outreach specifically targeted to persons in the EEA.

What is UMB doing to prepare for GDPR?

There is a GDPR working group under the direction of Dr. Peter Murray, UMB Chief Information Officer and Vice President.  The group is working to survey, analyze and work with schools and administrative units to address issues related to the applicability of GDPR at UMB.

 

Considerable uncertainty remains regarding GDPR’s application to activities conducted in the U.S. and the scope and nature of compliance activities that must be undertaken. Certain conflicts or inconsistencies may exist between GDPR and U.S. and State laws.    

UMB’s GDPR working group activities include:

  • Assessing how GDPR will affect UMB programs and activities
  • Developing tools and templates to assist UMB schools and units with GDPR preparedness
  • Maintaining communication with UMB schools and units to support appropriate levels of education and transparency regarding the collection and use of personal data subject to GDPR
  • Ensuring units responsible for physical and technical safeguards are engaged in GDPR activities to protect the personal data of individuals
  • Working with collaborators, affiliates and vendors to ensure that GDPR data protections are maintained for GDPR-protected personal data that is disclosed outside of UMB.

What should you do?

Familiarize yourself with GDPR:

List of GDPR Countries and Territories (as of February 2019):

Austria

Azores (EU dependent territory/country)

Belgium

Bulgaria

Canary Islands (EU dependent territory/country)

Croatia,

Cyprus,

Czech Republic,

Denmark,

Estonia,

Finland,

France

French Guiana (EU dependent territory/country)

Germany,

Greece

Guadeloupe (EU dependent territory/country)

Hungary

Iceland (EEA)

Ireland,

Italy,

Latvia

Lichtenstein (EEA)

Lithuania,

Luxembourg

Madeira (EU dependent territory/country)

Malta

Martinique (EU dependent territory/country)

Mayotte (EU dependent territory/country)

Netherlands

Norway (EEA)

Poland,

Portugal

Reunion (EU dependent territory/country)

Romania

Saint Martin (EU dependent territory/country)

Slovakia,

Slovenia,

Spain,

United Kingdom (still part of the EU but plans to leave (Brexit). UK includes: Channel Isles,    England, Northern Ireland, Scotland, and Wales.

*Be aware of countries exiting and entering the EU and which are governed by GDPR.  The United Kingdom plans to leave (Brexit).  Potential Member States trying to enter are Albania, Bosnia & Herzegovina, Kosovo, Macedonia, Montenegro, Serbia, and Turkey.

Checklist of systems, portals and places where you may receive identifiable data from persons in the EEA which may be subject to GDPR protection.

  • Do you have a Privacy Policy that is specific to your system, portal or place?
  • Where is the policy made available to your audiences?
  • Does it describe the personally identifiable data elements you collect?
  • Does it describe each purpose for which personally identifiable data may be used?
  • Does it describe units, persons and officials internally at UMB who may see or use personally-identifiable data?
  • Does it describe entities, persons and officials external to UMB who may see or use personally identifiable data?
  • Is there contact information for questions and requests?
  • Is your policy compliant with all law applicable to your system, portal or location, your audiences and your activities? Consider, e.g.,:  FERPA, HIPAA, GDPR, Maryland Code, General Provisions § 4 – 501 - Personal Records; § 4-502 - Corrections of Public Record, USM and UMB policies.

Stay tuned for updates and more information.

Questions:

For questions relating to GDPR and its impact at UMB, please click here