Table of contents
- What is GDPR?
- Whose data does the GDPR protect?
- What does GDPR mean to the University of Maryland?
- What constitutes personal data?
- Who does the GDPR affect?
- Do the rules only apply to EU citizens or residents?
- What are the penalties for non-compliance?
- Why does GDPR apply to UMD?
- How does UMD plan to comply with GDPR?
- Where can I find more information?
- What do I need to do if I receive a pop-up or other notification from a software application or a service provider regarding GDPR compliance?
- Does GDPR apply to data collected prior to May 25, 2018 (when the regulation takes effect)?
- Does the GDPR apply to de-identified data?
- Can or does UMD certify to Privacy Shield?
What is GDPR?
The European Union General Data Protection Regulation (GDPR) replaces Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy, and reshape the way organizations across the region approach data privacy.
Whose data does the GDPR protect?
The GDPR covers personal information of all natural persons—that is, people, but not legal entities like corporations or nonprofits—physically within the EU ("EU data subjects"). The GDPR makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data.
What does GDPR mean to the University of Maryland?
The University of Maryland (UMD) Privacy Committee is developing a GDPR Compliance program to assist in analyzing and complying with the requirements of GDPR.
What constitutes personal data?
Personal data in the context of GDPR means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to, among other things, an identifier such as a name, an identification number, location data or an online identifier. Examples of personal data include, but are not limited to name and surname, home address, a photograph, email address (such as name.surname@company.com), identification card numbers, personal phone numbers, location data (for example, the location data function on a mobile phone), Internet Protocol (IP) addresses, cookie IDs, the advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies a person (for example, a unique patient number) and the content of exam papers.
Who does the GDPR affect?
The GDPR applies to organizations located within the EU and it also states that it applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Put another way, it will attempt to apply to all companies processing and holding the personal data of EU data subjects, regardless of the company's location.
Do the rules only apply to EU citizens or residents?
Citizenship or residence is not a condition that triggers the application of the GDPR rules, requirements, and rights. GDPR may apply whether you are a EU citizen or not, depending on the circumstances.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, whichever is more. This is the maximum fine that can be imposed for the most serious infringements—for example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, however, and a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning "clouds" will not be exempt from GDPR enforcement.
It will take a few years for a more precise understanding of how GDPR will be further defined, interpreted and enforced by the EU and national data protection authorities of its member states. UMD will be paying close attention to the evolution of the law's compliance requirements over the coming years and will respond as needed.
Why does GDPR apply to UMD?
GDPR may apply to certain personal data collected by UMD because, in certain limited circumstances, we engage in business activities that collect or process the personal data of individuals residing in the EU.
How does UMD plan to comply with GDPR?
UMD has created a Privacy Committee who has been task with making a best faith effort to move towards meeting GDPR compliance requirements. We are developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program and make GDPR compliance resources available to the university community as they become available.
Where can I find more information?
Visit the our knowledge base articles on General Data Protection Regulation (GDPR) or General Data Protection Regulation (GDPR) Overview.
What do I need to do if I receive a pop-up or other notification from a software application or a service provider regarding GDPR compliance?
Most UMD employees are not authorized to accept agreements or certify compliance on behalf of the university. Please refer third party notifications and how the EU's GDPR deviates from the university's standard contract terms related to GDPR compliance to umd-privacy@umd.edu.
Does GDPR apply to data collected prior to May 25, 2018 (when the regulation takes effect)?
Requirements around the process of collecting data protected by GDPR will not be enforced retroactively. For example, if data subject to GDPR were collected using an old consent form, or without consent, prior to May 25, 2018, UMD will not seek consent for this existing data. However, if that data continues to be stored or processed or both by the university, the university is required to meet its obligations as a data controller under GDPR starting on May 25, 2018.
Does the GDPR apply to de-identified data?
The GDPR does not apply to fully anonymized information that cannot be re-identified.
Can or does UMD certify to Privacy Shield?
No. The Privacy Shield framework does not apply to UMD, and therefore the university cannot certify to it.
Disclaimer: The information contained in this FAQ is for informational purposes and does not constitute legal advice. Each individual case is different, and advice may vary depending on the situation. Further, the law and policy considerations may change as GDPR is implemented and analyzed a legal setting, and the information contained herein may not be updated as needed to maintain accuracy in a changing legal landscape. If you have questions about this or any other legal issue, you are advised to seek the advice of the UMD General Council.