U-M preparing for GDPR

silhouette of people standing in front of EU flag with a lock in the middle

A cross-university working group has been working for months to prepare U-M for the General Data Protection Regulation (GDPR), which goes into effect on May 25. To date, these efforts have included developing a risk-based GDPR compliance strategy, making important decisions regarding key requirements of the regulation, developing key GDPR processes and tools, and making recommendations for an ongoing, sustainable GDPR compliance program.

GDPR is designed to harmonize data privacy laws across the European Union (EU). It expands personal privacy rights for those in the EU. It also may apply to institutions with no physical EU presence—including universities—if they control or process covered information.

The U-M working group has made good progress on the following:

  • Identifying affected data and process flows. The group identified units that store or process data likely to be affected by the GDPR and asked them to fill in surveys with general information about the data and process flows. U-M units have submitted more than 90 surveys so far, and the project team has undertaken compilation, analysis, and legal review.
  • Creating a GDPR register. This will be used for maintaining the required records of data processing activities.
  • Creating a master privacy statement template. The group has reviewed existing U-M privacy statements, as well as best practice statement templates. The new template the team is drafting will account for GDPR compliance and reflect privacy statement best practices. It will provide a consistent approach for use across the university and will be available for all units to use.

For more detail, see these pages on the Safe Computing website:

If you want to hear more and have a chance to ask questions, plan to attend the U-M GDPR Open Forum from 9:00 a.m. to noon on July 26 at the Rackham Amphitheater on the Ann Arbor campus. Watch for more information about the forum as we get closer to July.

In the meantime, you can send questions to  GDPR-project@umich.edu.