General Data Protection Regulation (GDPR) FAQs
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The EU put these guidelines into effect on May 25, 2018 to replace and enhance previous legislation that regulated privacy.
Why is the GDPR important?
The GDPR clarifies what companies and organizations must do to ensure European data subjects’ rights and describes what companies must do to protect these rights.
When did the GDPR take affect?
The GDPR took effect on May 25, 2018.
Whose data does the GDPR regulate?
The GDPR applies to all organizations that possess personal data of people while they are residing, permanently or temporarily, in the EU.
Is the United Kingdom (UK) participating in the GDPR? Will GDPR guidelines still apply to UK residents after Brexit?
Yes, the GDPR applies to UK residents now and will continue to apply after Brexit.
Does the GDPR apply only to data collected after May 25, 2018, or to all data ever collected about an affected individual?
The GDPR applies to all data ever collected about EU residents. Ohio State will apply GDPR to all data we have about affected persons.
Is this another security regulation?
No, the GDPR is not a data security regulation – it does not set requirements for how organizations protect stored data. The GDPR focuses on data privacy, specifically on individual rights related to how organizations use, collect, and store personal data.
Is The Ohio State University required to comply with the GDPR?
Yes, Ohio State must comply with the GDPR.
Is Ohio State compliant with the GDPR?
Ohio State is implementing a GDPR compliance program. We are piloting our compliance efforts with offices that are most likely to work with, collect, and store information about EU residents.
Does Ohio State have a plan for addressing the GDPR?
Ohio State has a cross-departmental working group that is collaborating to develop and implement GDPR compliance efforts. Learn more here.
What does the EU classify as “personal information” under the GDPR?
“Personal information” is any information that organizations or individuals can use to identify a person residing in the EU. Examples include elements such as names, photos, email addresses, social media posts, computer IP addresses, etc.
Will research be exempt from GDPR reporting/consent requirements?
The EU has not specified how the GDPR will affect research reporting/consent requirements.
Does the GDPR apply to filing systems made up of hard copies of documents (data recorded physically on paper versus digitally)?
Does the GDPR apply to data that we store and manage through automation?
Yes, personal data stored and processed through automation is within the scope of the GDPR.
Does the GDPR apply only to the storage of personal data?
The GDPR applies to both the storage of data and how it is used. For example, referencing/accessing IP addresses is within the scope of the GDPR.