University of Illinois System
EVPAA » Resources » Policies and Procedures » U of I System and International Privacy Laws » The EU and UK General Data Protection Regulations

The European Union and United Kingdom General Data Protection Regulations

Background

The European Union (EU) General Data Protection Regulation (GDPR), known as the EU GDPR, is a comprehensive privacy regulation enacted by the EU Parliament in 2016. The regulation has been in effect since May 25, 2018. The United Kingdom (UK) has a nearly identical law, known as the UK GDPR, which together with the UK's Data Protection Act 2018, implement the provisions of the EU GDPR tailored specifically to the UK.

Although the EU and UK GDPRs primarily protect the personal information of persons physically located in the European Economic Area (EEA) and the United Kingdom (UK) respectively, they may protect the personal information of persons located in other countries, as well. 

The EU and UK GDPRs seek to protect the full spectrum of personal information. Accordingly, both GDPRs define personal information broadly as any information associated with an identified or identifiable natural person.

The U of I System Supplemental Privacy Notice explains for persons in the EEA and the UK what types of personal information the U of I System collects, how the personal information is used, with whom the personal information is shared, and how persons in the EEA and the UK can exercise their GDPR rights. 

The University of Illinois and the GDPR

For a quick overview of the GDPR at the University of Illinois, watch this 5-minute animated video.

Why does the U of I System care about the GDPR?

The U of I System takes privacy seriously and is committed to protecting the privacy of students and employees consistent with its obligations under the law. In that regard, the EU and UK GDPRs apply not only to entities located in the European Economic Area (EEA) and the UK, respectively, but also to entities outside the EEA and the UK when they engage in certain activities. Put simply, the GDPRs state that if you want to conduct business in the EEA or the UK, you have to play by GDPR rules. Violating those rules could result in fines of up to €20 million or 4% of worldwide revenues, whichever is greater.

The EU and UK GDPRs apply to controllers (someone who determines the purposes and means of processing personal information) and processors (someone who processes personal information on behalf of a controller) in three circumstances (the applicable GDPR is indicated in parenthesis):

  • When they are established in the EEA (EU GDPR) or the UK (UK GDPR); or,
  • When they are not established in the EEA (EU GDPR) or the UK (UK GDPR) but they:
    • Offer goods or services to persons in the EEA (EU GDPR) or the UK (UK GDPR); or,
    • Monitor the behavior of persons in the EEA (EU GDPR) or the UK (UK GDPR).

Because the majority of our universities' activities do not take place in the EEA or the UK (although individual researchers might collect personal information while in the EEA or the UK), generally the types of university activities that potentially trigger GDPR requirements are those involving the offering of goods or services to persons in the EEA or the UK or where the university is monitoring their behavior. Examples of such activities could include undergraduate and graduate admissions programs, distance learning courses, study abroad, international programs (especially where participating students are from the EEA or the UK), collecting personal information using cookies on university websites, and research involving persons or entities in the EEA or the UK.

Questions?

If you are a U of I employee and you have a question about the EU or the UK GDPR, please contact the University Ethics and Compliance Office by email at GDPRrequest@uillinois.edu or by telephone at 866-758-2146.

If you are a person in the EEA or the UK and would like to learn how to submit a GDPR request to the U of I System, please see the U of I System Supplemental Privacy Notice.