What is the General Data Protection Regulation (GDPR)?

The European Union’s (EU) General Data Protection Regulation (GDPR) is a new privacy law that went into effect on May 25, 2018, that governs the use of personally identifiable information. The GDPR grants certain legal rights to people in the European Economic Area (EEA) whose personal data is being collected and processed and imposes legal responsibilities on the entities that control or process personal data.

What does the GDPR do?

GDPR expands privacy rights for individuals located in the EEA. Specifically, it guarantees certain rights, depending on how the data is used. The rights are as follows:

  • The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
  • The right to make informed decisions regarding the use and disclosure of the data;
  • The right to access the data; and
  • The right to have the data returned or deleted

It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:

  • Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards;
  • Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad);
  • Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.

Who are the data subjects?

The law is intended to protect the personal data of individuals in the European Economic Area (EEA), which includes EU countries as well as Iceland, Norway and Lichtenstein. When the EU is referenced, we mean all of the above countries or the EEA.

The EU countries include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Spain and Sweden.

Who does the GDPR apply to?

In general, the GDPR covers the storage or use of personal data belonging to individuals in the EEA for University functions or activities that

(1) take place in the EEA (e.g., a study center in Europe);

(2) involve outreach to people in the EEA to offer goods or services (e.g., applications for admission); or

(3) monitor the behavior of individuals in the EEA online or involve the control or processing of data relating to people in the EEA (e.g., research that includes EEA citizens).

What are the areas/types of data likely to be impacted by GDPR?

GDPR generally does not apply to the following areas/types of data:

  • Data on clinical care provided in the United States;
  • Data on research conducted in the United States, where participants are not recruited from the EEA;
  • General marketing, where goods or services are not specifically targeted to the EEA

Below is a working list of the units/areas that we have identified as being likely to be impacted by GDPR. This will continue to be updated as we work through the process of inventorying data at UCSF and obtaining feedback from the UCSF GDPR Task Force.


  • Data on applicants from the EEA to UCSF educational programs, residency programs and fellowship programs


  • Data on students and former students of UCSF educational programs, residency programs and fellowship programs (where UCSF offers these employees a service) located in the EEA


  • Research being conducted by UCSF on data subjects in the EEA
  • Data from research institutions in the EEA being sent to UCSF


  • Data on employees and former employees (where UCSF offers these employees a service) located in the EEA
  • Recruitment of providers, faculty and staff from the EEA to work at UCSF


  • Data on donors located in the EEA

Targeted Clinical Care

  • Second opinion services for individuals in the EEA
  • Global health programs specifically intended for individuals in the EEA

Last updated: June 28, 2018

What is UCSF Privacy doing to prepare for GDPR?

The Privacy Office is establishing a GDPR Task Force to address issues that are specific to the impact of GDPR at our campus and health system.

The Task Force is comprised of representatives from key sectors likely to be impacted by the regulation and who will drive implementation efforts here at UCSF, including Privacy, Compliance, Office of Legal Affairs, Information Technology Security, Risk Management and Insurance Services and others. The primary goal of the Task Force will be to develop guidelines, processes and policy changes to be implemented at UCSF to promote compliance with GDPR.

The Privacy Office is also working closely with the UC Office of the President (UCOP) and the Office of General Counsel (OGC) in accordance with their system-wide GDPR efforts as listed below.

Please stay tuned for more information.

What is the University of California (UC) doing to prepare for GDPR?

UC’s compliance, privacy and informational technology programs are working together to develop an effective GDPR compliance program. This program is specifically designed to enhance the existing robust privacy infrastructure at UC to ensure compliance with this new regulation.

Program activities include:

  • Assessing how GDPR will affect UC programs
  • Developing tools and templates to assist UC programs with GDPR compliance
  • Developing communication tools to provide greater transparency to UC students, employees and other UC program participants regarding the collection and use of personal data
  • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals
  • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UC

What should you do?

Familiarize yourself with the GDPR:

PowerPoint – UCOP – An Introduction to GDPR

  • Slide deck of presentation that was given to the UCSF community by Hillary Kalay (Office of General Counsel) on June 22, 2018.


For questions relating to GDPR and its impact at UCSF, please contact the Privacy Office here.