The European Union’s General Data Protection Regulation (GDPR) is a new regulation that went into effect on May 25, 2018. The regulation provides protection for persons regarding the processing of their personal data. The GDPR replaces a 1995 EU Directive regarding data protection.
When might the GDPR apply to my Yale activities?
The GDPR applies to individuals and organizations based in the European Economic Area (“EEA”) and non-EEA organizations that process the personal data of individuals in the EEA. The EEA includes the 28 states of the EU as well as: Iceland, Liechtenstein, Norway and Switzerland.
For non-EEA entities such as Yale, the law will apply when personal data is processed in connection with either:
- Offering goods or services to individuals in the EEA; or
- Monitoring the behavior of individuals in the EEA
The GDPR may also apply to Yale activities if Yale is collaborating with an institution in the EEA, even if Yale is neither directly offering goods or services to individuals in the EEA, nor monitoring the behavior of individuals in the EEA.
What is personal data?
Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual rather than a company). Such data could include, for example, the individual’s name, e-mail address, identification number, or photograph. Personal data also includes, an IP address or cookie number. Under the GDPR, an individual whose personal data is being processed is also known as a “data subject.”
Certain categories of personal data get even more protections under the GDPR due to the sensitive nature of this data. Examples include: information about a data subject’s race or ethnic origin, health, genetics, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. Information about criminal convictions is also more protected.
Under the GDPR, more data is likely to be considered personal data than under U.S. privacy laws. For example, in contrast to U.S. law, “pseudonymized data” (i.e. coded data) is “personal data” even in cases where institution such as Yale does not have access to the key-code. Only if there is no key-code in existence, anywhere in the world, is the data sufficiently anonymized that the GDPR will not apply.
What is processing?
Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.
What does the GDPR require?
The GDPR’s requirements are complex. If you believe that you are or will be processing data of individuals in the EEA, please send an email to iocc@yale.edu. The Office of General Counsel can assist you with incorporating the GDPR’s obligations into your activities and processes. Typically, your department will perform a privacy assessment and make any appropriate modifications.
As an example, one of GDPR’s requirements is that all personal data being processed have a “lawful basis.” Examples of lawful bases include:
- The data subject consented to the processing.
- The data processing is necessary for the performance of a contract to which the data subject is a party.
- The data processing is necessary for the legitimate interests of Yale or a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.
The list above is not exhaustive but rather includes some of the lawful bases most likely to be relevant to a U.S university.