Please ensure Javascript is enabled for purposes of website accessibility GDPR | University of West Florida
Skip to main content

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

GDPR Overview

The General Data Protection Regulation is a privacy law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or services offered in the EU, or that involves the monitoring of individuals in the EU.

So, how does this affect us at UWF?

Although, this is an EU regulation it has significant potential to impact U.S. systems. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g., international students), (2) human resources data (e.g., staff or faculty living or working overseas), and (3) marketing data (e.g., data collected from a potential student living in the EU who is interested in UWF).

Key Principles of GDPR

The GDPR establishes seven key principles:

Personal data must be processed lawfully, fairly and in a transparent manner

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Personal data must be accurate and, where necessary, kept up to date

Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed

Personal data must be processed in a manner that ensures appropriate security of the personal data

Controllers (see Important Terms) are responsible for, and must be able to demonstrate compliance with the GDPR principles


Answers to Frequently Asked Questions (FAQs)

  • Any collection of personal data must have a clearly defined purpose, which is prominently publicized, and the data cannot be used for any other purpose
  • Do not collect any more data than absolutely necessary
  • Consumers must be informed when personal data is being collected
  • Personal data is kept for only as long as necessary
  • Delete data where it is no longer necessary
  • Effectively secure all personal data being collected
  • Maintain documentation on your data processing activities
  • Ensure all sub-contractors and vendors adhere to GDPR rules

Any department, office, system, and/ or function that collects, uses, or stores information in or from the EU or relating to individuals in the EU, fall under the scope of the regulation and may be impacted.

First and foremost, you need to determine how exposed your area or function is to GDPR. In order to get the ball rolling, you should start by reflecting on the following questions and statements:

  • Conduct an analysis of how your department/ office/ function/ research interacts with the EU.
    • Is there any personal data involved?
    • Do you monitor individuals in any way?
    • Are there any financial transactions with individuals in the EU?
    • What is your legal basis for collecting information?
    • Do your procedures need to be updated?
  • What are the ways someone in the EU could access you?
    • What are the touchpoints?
  • Think about our vendors, services, and internal and external websites that are used to reach into the EU.
  • Review your contracts.
  • Ask vendors and 3rd parties if they are GDPR compliant (or how they plan to become compliant)

The penalty for violations can range anywhere from a warning, a fine of 20 million Euros, or up to 4% of UWF's annual revenue.

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxemberg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

GDPR Terminology

The following terms are essential components of the regulation

Personal Data

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person


‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction


‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Controller/ Data Controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Possible Impact and Solutions

The following table describes how certain areas might be impacted by GDPR and provides possible GDPR solutions. Please take note that these "solutions" do not represent legal guidance. This resource and web page and are only meant to inform and should be seen as tools to help aid in your understanding of the regulation.

GDPR Possible Impacts and Solutions
Business Process & Potential ImpactPossible Solutions (suggestions to be discussed internally)

Research/ Technology Transfer:

     • Collaborations and agreements with EU professors or universities that involve collecting or sharing personal information
     • Studies on EU individuals that involve personal information
     • Human subject research that involves personal information collected in the EU

     • Additional grant/contract clauses, expanded consent documents, specific consideration in IRB review
     • Internal process to handle withdrawn consent
     • Limit receipt of identifiable data

Note that de-identified data is not GDPR, but if it can be re-identified (i.e., there is a key) then it is GDPR

Faculty, Staff, and Students in or from the EU/ Human Resources:

     •Correspondence containing personal information with individuals in the EU, or faculty/ staff/ students that will reside in the EU
     •Exchanging salary or tax information
     •Conducting background checks on individuals in the EU

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data

Admissions, Financial Aid, Registrar, Online Education:

     •Correspondence containing student personal information, transcripts or financial information being sent from EU students or parents
     •Program Application monitoring

•Notification, signed consents, specific coverage of GDPR in University policy
•Coordination with third party vendors who process data
•General GDPR notice in the General Announcements

Study Abroad (including exchange programs and students doing research in EU):

     •Correspondence containing student personal information regarding individuals who are on programs in the EU
     •SOS Insurance

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data
     •General GDPR notice in the General Announcements

Title IX/ Clery:

     •Tracking and reporting incidents in the EU (particularly where one party is not a student)

     •Signed consent where possible. Notification, signed consents, specific coverage of GDPR in University policy
     •Document approach to potential conflicts up front
     •General GDPR notice in the General Announcements

University Advancement/ Development/ Alumni:

     •Collecting, storing, and sharing personal and financial information in or from the EU, or relating to individuals in the EU

     •Signed consent where practical, internal process to respond to requests. GDPR in privacy policy
     •Coordination with third party vendors who process data

Risk Management:

     •Sharing and receiving personal information, including with International SOS

     •Signed consent, privacy notices. Coordination with third party vendors who process data

International Students:

     •Discussions with students or parents who are in the EU regarding personal information or visa information

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data
     •General GDPR notice in the General Announcements

Institutional Communications:

     •Publicly available stories or pictures of faculty, staff or students in the EU

     •Consent when practical
     •Internal process to review and respond to take down requests

Information Technology:

     •Designated individual as POC for GDPR.
     •Data loss/ breach may require notice to individual within 72 hours

     •Specific scan/procedure for EU individuals following breach
     •Internal process to review and respond to take down requests


Additional GDPR Resources

The following are resources that should help provide you with a better understanding of the regulation; specifically, how it relates to U.S. institutes of higher education.