The EU GDPR is a regulation designed to protect the privacy of individual's personal data and requires entities, including universities, to implement reasonable data protection measures to protect individuals's personal data and privacy against loss or exposure.
Step 1: Read the Institute Policy
The Georgia Tech EU General Data Protection Regulation Compliance Policy is located in the Policy Library, and can be accessed via the following link:
Please review the policy to further understand the purpose, scope, definitions, and procedures.
Step 2: Are you receiving personal data from the EU?
All Georgia Tech units who collect or process personal data from the EU must document the lawful basis for the collection or processing of personal data they collect or process, why they collect it, who they share it with, and how long they keep it. Georgia Tech has prepared the following Lawful Basis form (hosted through a Qualtrics survey) to facilitate next steps, if any, your unit may need to take to comply with the regulation. Due to the types of questions asked in this form, as well as the time it may take to complete, it may be helpful to preview the Lawful Basis form (PDF document) first before submitting your responses (via the Qualtrics survey link).
Once you complete the Lawful Basis form, you will receive a follow-up email with your next steps to complete your unit's compliance. Those next steps may include the need for a unit privacy notice. A model template of the unit privacy notice is located here:
- EU GDPR GaTech Unit Privacy Notice Template (Word document)
Step 3: Are you collecting special categories of sensitive personal data from the EU?
All Georgia Tech units who collect or process special categories of sensitive personal data from the EU must obtain a signed (digital signature okay) affirmative consent before collecting or processing any special categories of sensitive personal data from the EU. Special categories of sensitive personal data are:
- Data revealing racial or ethnic origin
- Data revealing political opinions
- Data revealing religious or philosophical beliefs
- Data revealing trade union membership
- The processing of genetic, biometric data for the purposes of uniquely identifying a natural person
- Data concerning health
- Data concerning a person's sex life or sexual orientation
A model template of the consent form is located here:
- EU GDPR Model Consent Form (Word document)
Step 4: Are you protecting the data? Are you keeping the data only for the required time period?
All Georgia Tech units who collect or process personal data and/or special categories of sensitive personal data from the EU must secure this data. In order to properly secure data, these Georgia Tech units must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171, as set forth in the Georgia Tech Controlled Unclassified Information Policy found here: https://policylibrary.gatech.edu/information-technology/controlled-unclassified-information
If your office needs help with data security or getting compliant with NIST 800-171, please contact the Georgia Tech Cyber Security Compliance Team at: email@example.com
All Georgia Tech units who collect or process personal data and/or special categories of sensitive personal data from the EU must only keep this data for the period of time necessary to conduct a legitimate business purpose. In order to set limits on data retention, these Georgia Tech units must comply with the University System of Georgia Records Retention Schedules found here: https://www.usg.edu/records_management/schedules
If your office needs help with data retention or getting compliant with the USG Records Retention Schedules, please contact the Georgia Tech Office of Legal Affairs at: firstname.lastname@example.org
Should you have any questions or concerns about steps required to achieve compliance with this regulation, please contact email@example.com.