General Data Protection Regulation (GDPR) FAQs

For individuals who are affiliated, but not employed, by the University of California (examples include students, research data subjects and non-UC research collaborators)

The European Union General Data Protection Regulation (GDPR) is effective as of May 25, 2018.

What is it?

GDPR is an EU regulation designed to protect the privacy rights of individuals in the European Economic Area (EEA), which includes the European Union Iceland, Norway, and Lichtenstein. It is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations.

What does it do?

GDPR expands privacy rights for individuals located in the EEA Specifically, it guarantees certain rights, depending on how the data is used:

  • The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
  • The right to make informed decisions regarding the use and disclosure of the data;
  • The right to access the data; and
  • The right to have the data returned or deleted.

It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:

  • Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards;
  • Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad);
  • Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.

Who does it apply to?

GDPR applies to organizations that are established in the EEA (for example, a study center in Europe). It also applies to organizations not physically in the EEA when goods or services are offered to individuals in the EEA (e.g., applications for admissions), or monitor the behavior of individuals in the EEA (e.g., research that includes EU citizens).

Are there penalties for non-compliance?

Yes, GDPR imposes significant monetary penalties for organizations that do not comply with the regulation.

UC GDPR Compliance Program

What is the University of California (UC) doing to prepare for GDPR?

UC’s compliance, privacy and informational technology functions are working together to develop an effective GDPR compliance program. This program is specifically designed to enhance the existing robust privacy infrastructure at UC to ensure compliance with this new regulation. Program activities include:

  • Assessing how GDPR will affect UC programs
  • Developing tools and templates to assist UC programs with GDPR compliance
  • Developing communication tools to provide greater transparency to UC students, employees and other UC program participants regarding the collection and use of personal data
  • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals
  • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UC

What should you do?

Stay tuned. You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements and how these requirements impact public higher education institutions. Watch for more information from your campus privacy official. If UC determines that your personal data is governed by GDPR, UC will take the appropriate steps to protect your data. If you have immediate questions or concerns, contact your campus privacy official. Campus privacy official contact information is available at: