The General Data Protection Regulation “GDPR” is a European Union “EU” regulation, that the European Parliament passed in April 2016 to govern the processing and movement of EU resident’s personal data. The GDPR is effective as of May 25, 2018 and replaces the 1995 Data Privacy Directive.  The new regulation has a broader territorial scope and more significant fines (up to $20 million) for violations than prior EU law.   The GDPR applies to entities located outside of the EU that handle personal data about EU residents when offering them services or monitoring their behavior.  As the regulation is new, our understanding will continue to evolve over time.

The EU GDPR sets a broad definition for personal information and establishes a variety of requirements regarding the handling of EU residents' personal information.  Note that the law specifically applies to EU residents rather than citizens.  It does not apply to EU citizens while they reside in the United States. However, it does apply to United States Citizens when they provide data to the University while temporarily located in the EU.

At a high level, GDPR addresses the following requirements:

  • Data processing must be lawful, meaning that one of the following apply:
    • Consent for processing was obtained from the individual(s)
    • A legitimate interest exists – details are further defined in the law
    • A contractual relationship exists – data processing is done to meet the obligations of a contract
  • Data collected must be adequate, relevant and proportionate
  • Data must be retained only as long as necessary and must be secure
  • Data transfer restrictions exist outside of the EU
  • Notice must be provided to individuals about how data will be processed and used

In addition, data subjects have a number of rights, including the:

  • Right to be informed
  • Right to access their data
  • Right to correct data
  • Right to request deletion of data

Compliance for CU

A core group, including members from the Office of Information Security and Office of University Counsel, has been evaluating the impact of GDPR at CU.  This group is working closely with campus compliance officers and departments that we expect to be most impacted by GDPR. If you would like to discuss the impact of GDPR on your department, email for more information.


Contact us at if you have questions or concerns about the GDPR, how it may apply to your unit or inquiries related to personal data that may be collected and processed by the University of Colorado.