New data privacy regulations are going into effect in the European Union (EU) this month, and their reach spreads to the work of companies and organizations around the world — including Georgia Tech.

New data privacy regulations are going into effect in the European Union (EU) this month, and their reach spreads to the work of companies and organizations around the world — including Georgia Tech.

The European Union General Data Protection Regulations (EU GDPR) become enforceable Friday, May 25. The chief focus of these regulations is to protect the collection, use, and transmission of personal data of people while they are physically within the EU.

The EU GDPR compliance requirements are stricter than comparable regulations for handling personal information in the U.S., such as HIPAA and FERPA. The focus is on providing proper notice to those having personal data collected — to inform them of what data is being collected, how it will be used, who it will be shared with, and how long it will be retained. In addition, there are written consent requirements for sensitive personal data as defined by the regulations, and data subjects have specific rights they may exercise to inquire about their data. 

“We have a significant global community at Georgia Tech, so these new regulations affect Tech in a number of ways,” said Katie Crawford, senior director of Enterprise Data Management. “For instance, this applies to students studying abroad in the EU — including Georgia Tech-Lorraine — as well as student applications for admission, applications for employment that are sent from the EU, online and distance learning taking place in the EU, research and development, as well as use by our cooperative organizations.”

Those who manage websites and communications, receive data from international sources, or simply plan to contact people in the EU within the scope of their work, should:

  • Review the Georgia Tech EU General Data Protection Regulation Compliance Policy located at the main Policy Library.
  • Determine whether a unit/department privacy notice is needed.
  • Receive and document written consent for sensitive data (as defined in the policy).
  • Be aware of the individual rights of the data subject and how to address a request for revocation of consent.

Georgia Tech’s Legal Affairs, Risk Management, Enterprise Data Management, and Cyber Security teams have worked together to review the EU GDPR regulations and provide some EU GDPR guidelines for compliance.

If you are unsure if your work or data use qualifies, review these additional resources:

For more information, contact Enterprise Data Management at eugdpr@edm.gatech.edu.