Five years with the GDPR

GPDR - Europe

A little over five years ago, U-M, along with organizations across the country and the world, began work on holistically improving privacy practices in response to the General Data Protection Regulation (GDPR). The GDPR is a European Union (EU) privacy law that safeguards the personal information of individuals in the EU and the European Economic Area. The regulation went into effect on May 25, 2018, and has not only helped uphold privacy as a human right of people in its jurisdiction but has paved the way for the adoption of privacy legislation in many countries and a number of U.S. states.

The GDPR sets forth seven key principles that have woven their way into many common business practices and raised privacy awareness among the public:

  • Process personal data in a lawful, fair, and transparent manner (lawfulness, fairness, and transparency).
  • Limit personal data collection and processing to specified, explicit, and legitimate purposes (purpose limitation).
  • Limit personal data collection to what is adequate and relevant to the stated purposes (data minimization).
  • Take every reasonable step to ensure personal data is accurate and up-to-date (accuracy).
  • Keep identifiable personal data no longer than necessary for the stated purposes (storage limitation).
  • Ensure appropriate security of personal data (security).
  • Demonstrate responsibility for and compliance with these principles (accountability).

The GDPR is largely regarded as the “toughest privacy law in the world.” It sets forth fines of up to €20 million, or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever amount is higher. As of April 2023, the EU data protection authorities have imposed a total of €2.78 billion in fines, with over €2 billion issued to just three high-tech giants: Amazon, Meta, and Google.

Five years in, the GDPR has also seen some changes and a healthy dose of criticism. Lessons learned from the regulation’s development, implementation and enforcement continue to influence privacy laws around the world and here in the United States. The U.S. has myriad state laws focused on consumer data protection, but passing a comprehensive federal privacy law continues to be a challenge.

As a higher education institution with global reach, the University of Michigan is committed to respecting and protecting the privacy of its community members and guests. We have broadly adopted the GDPR principles as a cornerstone of our privacy program. Visit the Safe Computing website to learn more about privacy at U-M and check out the Protect and Respect Privacy curriculum (UMICH [Level-1] login required).