U-M GDPR journey discussed at forum


Block M & EU logo. location, location, location. A person's location matters when collecting data about them.

If you’re worried about the impact of the General Data Protection Regulation (GDPR) in your unit, take a deep breath and relax. The university has got your back.

Sol Bermann, university privacy officer and interim chief information security officer, and David Grimm, associate general counsel, reassured attendees at a July 26 GDPR open forum that—with the help of a working group of U-M stakeholders—U-M’s GDPR compliance program is taking shape.

The GDPR, which took effect in May, focuses on privacy protection and regulates the processing of personal data of people located in the European Union (EU). Bermann noted that Europeans, in part reacting to previous authoritarian regimes, consider privacy a basic human right. The U.S., in contrast, has developed a sectoral approach based on individual laws and regulations to protect specific data types, such as student education records and electronic protected health information.

“Think of it like this,” said Bermann. “In the U.S., you can collect data unless the law says you can’t. In the EU, you cannot collect data unless the law says you can.”

Why would a European Union (EU) regulation apply to the University of Michigan? According to Grimm, it applies for two reasons:

  1. U-M engages in business activities—such as research—that may collect or process the personal data of individuals residing in the EU.
  2. U-M works with data controllers or processors that are located in the EU.

Bermann illustrated with some examples of where the GDPR could apply at U-M:

  • A cohort of students who are U.S. citizens study abroad in the EU. Data associated with their activities in the EU flows back to the U.S.
  • U-M fundraisers collect donor information from alumni residing in the EU.
  • A research consortium in the EU provides U-M with personal data of EU citizens for research analysis.
  • Online courses offered by the university—if people living in the EU participate.

“We are taking a risk-based approach,” explained Bermann, “focusing first on people, policy, and process.” If needed, technology compliance solutions may also be considered.

  • People. Engaging the right stakeholders and documenting GDPR roles and responsibilities.
  • Policy. Developing privacy statements, as well as supporting templates and documentation, that units can use.
  • Process. Assessing and addressing U-M processes in support of compliance.

Undergraduate Admissions staff members have begun a GDPR pilot that will inform compliance efforts in other units. Units have submitted more than 114 data surveys that are being used to prioritize compliance efforts and populate the GDPR Register required by the regulation.

The GDPR project team has updated the privacy notice for the U-M website and is finalizing privacy statement templates, contract addenda, and other compliance tools that will be made available to university units.

Added Grimm, “The regulation is so new that it hasn’t yet been interpreted in the courts, and there haven’t been any enforcement actions yet.” He said that the regulation is “incredibly broad and vague,”  and it will take some time for its impact to be understood.

“Our risk-based compliance approach is a good fit for the university,” Bermann said. “We are taking some time to get this right.”