European Union General Data Protection Regulation (EU GDPR)
The GDPR introduces enhanced compliance, governance, and accountability on organizations involved in the processing of “personal data” about individuals in the EU. The GDPR defines “personal data” very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
This new regulation became effective May 25, 2018, and its expanded scope comes in tandem with the potential for significantly increased penalties for non-compliance, such as the higher of 4% of an organization’s global turnover or €20,000,000.
Also, the GDPR is not limited to companies or universities operating in the EU alone. In fact, it’s expressly drafted to apply in an extraterritorial context where certain conditions are met.