GDPR Frequently Asked Questions

April, 2019
IT-related Documents Regarding Policies

What is the GDPR?

The GDPR stands for the General Data Protection Regulation.  The GDPR is a European Union (EU) consumer-protection law about privacy.  This law will impact persons and organizations in the United States and around the world.  Generally, anyone who processes personal data about individuals in the EU within the context of offering goods or services to or monitoring the behavior of people in the European Union (EU)  will need to abide by this regulation.

The physical location of the data subject or person is what determines whether the GDPR applies, not the citizenship of the person or the physical location of the organization (UT Austin).  Simply being in the EU and having personal data collected about you by another party anywhere in the world may be enough to trigger the GDPR.

Generally speaking, under the GDPR there must be a “lawful basis” for all data processing. Examples of that could be that the use of the data is necessary to perform a legitimate business interest (for example, attendance records of a student), the processing of the data is required by another law (such as reports on diversity or enrollment generally), the use of the data must be necessary to perform a contract (like agreements with international travel agencies), or that we have received consent from the person to use their data.

The GDPR was approved and adopted by the EU in April 2016 and took effect on May 25, 2018. Monetary penalties for not following this regulation are very high.  However, there is still much that is uncertain about how the GDPR will be read and applied.

What is personal data?

Personal data, according to the GDPR, is any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.  It can be anything such as a name, photo, phone number, email address, bank details, posts on social networking sites, medical information, or even a computer IP address.

This definition is very similar to what is considered “personally identifiable information” in FERPA. However, FERPA treats “directory information” as public by default, while GDPR does not.

The GDPR does not apply to personal data that have been anonymized.  Data have been anonymized when identifiable information has been removed in such a manner that the data subject is not or no longer identifiable.  However, data that has been stripped of identifying information but that, due to its nature, may still subject the data subject to identification is not considered to be anonymized.  For example, if only one student enrolled at the University is from Lyon, France, that student may still be identifiable even if their name, date of birth, and street address are removed from a data set.   

There are more specific rules for processing special categories of personal data under the GDPR. Those special categories are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, sex life or sexual orientation, and criminal record.  If consent is used as a basis for gathering such information, the consent must be explicit.

Which countries belong to the European Union?

There are currently 28 countries that are part of the European Union (EU): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

In addition, the United Kingdom will likely follow the GDPR, even though it will leave the European Union soon.

Who does this apply to?

This new regulation potentially affects nearly everyone who travels to, lives in, or does business with the EU. The physical location of the data subject or person is what determines whether the GDPR may apply, not the citizenship of the person or the physical location of the organization (UT Austin).

Some examples of how the university might interact with the EU include:

  • Study abroad or exchange programs in the EU
  • EU residents applying to come to UT (students, employees, visiting scholars/researchers)
  • EU residents involved in distance-learning or online classes
  • Donors or alumni living in the EU
  • Collaboration and research with EU institutions
  • Athletes travelling to the EU and communicating with UT
  • Recruiting of faculty/students in EU

When does this apply?

The GDPR applies when the University is processing personal data in the context of offering goods or services to or monitoring the behavior of people in EU.

The availability of goods or services on a website does not mean the GDPR affects your organization. Just because UT has a website that can be accessed from the EU, for example, does not mean that we are “offering goods or services” to people in the EU.  But, if the website were more focused on EU residents, such as using a language from an EU member country or posting prices or costs in EU currency that could show that we were intentionally targeting our website to people in the EU. 

Please be aware that the use of “cookies” on our websites functions to gather information from anyone who views the site.  The use of “cookies” may be considered a form of “monitoring the data subject” which would invoke the GDPR should someone in the EU view one of our websites.  For more information on cookies, see Privacy Standards (insert link). 

Look at your websites and see if someone might consider it aimed at the EU. If you have concerns and are not sure about your website, contact the Data Protection Officer for assistance in determining if the GDPR applies to your website.

How do other US laws, like FERPA, HIPAA, and records retention, interact with this regulation?

As a general rule, while making a good faith effort to comply with the GDPR, the University will follow US and Texas law should there be a conflict between that law and the GDPR.

For example, in certain circumstances data subjects may have a “right to be forgotten” (right to erasure of personal data) under the GDPR.  It is possible that such a request is not consistent with US laws, such as records retention rules. The right does not mean that a student can have their attendance record or disciplinary record at UT deleted just because they want to.

Since this is a new law, we will likely see guidance on how to interpret it over the next several months or even years.  Guidance will be communicated as we receive it.

As a data collector, what happens if I violate this regulation?

If you believe that you, your office, or department has violated some provision of the GDPR, please report any concerns up your chain of command. Have your department or office leadership contact the Data Protection Officer, Chris Hutto, in Legal Affairs.

What happens if there is a data breach at the University?

Report the breach immediately to the Information Security Office, headed by Cam Beasley, and contact the Data Protection Officer, Privacy Officer, and Chief Compliance Officer. This must be done within 48 hours of the discovery of the breach.  You can find contact information for each office below. 

The University may also need to notify the data subject(s) of the breach and give information about what steps the organization is taking in response to the breach. The University already has plans in place to respond to data security breaches, including providing notification to data subjects or other affected parties. The links below can provide additional information. (an EID is required)

What rights does the GDPR provide to a Data Subject?

In most cases, data subjects will have the following rights with respect to their personal data:

  • Access to their data
  • Recertification (correction of inaccurate or incomplete data)
  • Erasure
  • Restriction of processing
  • Data portability
  • Objection to processing
  • Not to be subject to automated decision-making

Please contact the University’s Data Protection Officer if a data subject submits a request to exercise their rights provided by the GDPR.

What do I need to do?

  • Check with your IT people to make sure your websites include links to our recently revised Data Privacy Standards and links to any consent forms you might need. If your website targets people in the EU (for example, your web pages have been translated into different languages or show the local EU currency or other indicators of an effort to market to the EU), talk with the Data Protection Officer regarding what you need to do next.
  • Review and possibly update consent forms. The forms need to be written in plain language and be easily found. You can no longer have a blanket opt-in agreement, have boxes on forms automatically checked as opt-in, and you must have consent from the person that is specific to the transaction. You must tell the user why you’re collecting the data.
  • Check with your vendors to make sure they are compliant with the GDPR. Amend your contracts with them if necessary.The Office of the General Counsel at UT System has provided model contract clauses and a model GDPR addendum that you may use in contracts that may be subject to the GDPR.Please contact the Business Contracts Office for assistance with amending your contacts.
  • Pay attention to when people say they no longer want you to use their information. Consent can be withdrawn at any time and you will need to remove their information, when US law allows you to do so (see also “How do other US laws interact with this regulation?”).
  • Contact the Data Protection Officer if a person submits a request to exercise their rights provided by the GDPR.

What resources do I have for questions?

  • Current Web Privacy Policy
  • Data Protection Officer: Christopher Hutto, chris.hutto@austin.utexas.edu
  • Privacy Officer: Jeffrey Graves, jgraves@austin.utexas.edu
  • Chief Compliance Officer: Leo Barnes, lbarnes@austin.utexas.edu
  • Departmental contacts:
    • Apply Texas, Tim Brace
    • Athletics, Lori Hammond or Hatty Bogucki
    • Business Contracts, Linda Shaunessy
    • Chief Information Officer, Chris Sedore
    • Dell Medical School, Leah Stewart
    • Development, Cesar De La Garza, Jessica Baker, and John Gough
    • Enrollment Management, Carolyn Connerat
    • Financial Aid, Diane Todd Sprague and Alice Hatfield
    • Graduate and International Admissions Center (GIAC), Shannon Neuse
    • Human Resources, John Moore
    • Independent Contractor and Tax Services, Cynthia Roberts and Lori Peterson
    • Information Technology (ITS), Michael Cunningham, IT Directors
    • Information Security Office (ISO), Cam Beasley
    • International Office, Heather Thompson, Teri Albrecht, and Mike Smith
    • Legal Affairs, Patti Ohlendorf, Chris Hutto, Jessica Sentz, and Jeff Graves
    • Office of Sponsored Projects, David Ivey
    • Payroll Services, Shelley Powers
    • Provost’s Office, David Wolcott
    • Records and Information Management, Maryrose Hightower-Coyle
    • Registrar’s Office, Shelby Stanfield
    • Student Affairs, Carol Longoria
    • Texas Advanced Computing Center (TACC), Nathaniel Mendoza
    • Texas Exes, Brigid Anderson
    • Texas Extended Campus and University Extension, Karen Smid
    • Travel Management, Lee Loden
    • University Compliance Services, Leo Barnes
    • University Health Services and CMHC, Robert Reed
    • Workday Implementation Program, Heather Hanna
    • Youth Protection Program, LeeKeshia Williams