The General Data Protection Regulation (GDPR) is a privacy law passed by the European Union (EU) in April 2016. It governs how personal data belonging to EU residents can be collected, used, and shared.
Even if your department isn't based in the EU, GDPR may still apply—especially if you’re working with international partners. For example, an EU-based research partner might require that your work meets GDPR standards. If you’re involved in any agreement that involves GDPR compliance, it’s best to reach out to USU Privacy Office or the Office of General Counsel for help.
The GDPR officially took effect on May 25, 2018, replacing the older 1995 Data Privacy Directive. Compared to the previous law, GDPR has wider global reach and much steeper penalties for non-compliance (up to €20 million or about $20 million USD). It also affects organizations outside the EU if they handle data on EU residents—either by providing services or tracking behavior.
GDPR defines personal data broadly and lays out clear rules for how that data should be handled. It applies to EU residents, not just citizens—so EU citizens living in the U.S. aren't covered, but U.S. citizens temporarily in the EU are.
Key GDPR rules include:
- Data must be processed legally, meaning one of the following must apply:
- The person has given consent
- There’s a legitimate reason (defined in the regulation)
- A contract requires it
- Data collected must be relevant and not excessive
- Data should only be kept as long as needed and must be kept secure
- There are limits on transferring data outside the EU
- People must be informed about how their data is used
People also have rights under GDPR, such as:
- The right to be informed
- The right to access their personal data
- The right to correct any errors
- The right to request deletion of their data
Questions? If you're unsure how GDPR might impact your department or research, or if you’re dealing with personal data, reach out to USU Privacy Office at privacy@usu.edu.