The European Union and United Kingdom General Data Protection Regulations

The European Union and United Kingdom General Data Protection Regulations Heading link

The European Union (EU) General Data Protection Regulation, known as the EU GDPR, went into effect on May 25, 2018. The United Kingdom (UK) has a nearly identical law, known as the UK GDPR, which together with the UK’s Data Protection Act of 2018, implement the provisions of the EU GDPR tailored specifically to the UK.

The EU and UK GDPRs strengthen data privacy protections for persons in the European Economic Area (EEA) and the UK. Both GDPRs may also protect the personal data of persons located in other countries under certain circumstances, and both carry the potential for significant fines for noncompliance.

The EU and UK GDPR affect how and what personal data* can be collected about individuals, including information collected for research purposes. Research involving any of the following must address EU and/or UK GDPR requirements:

Primary data collected from persons physically located in the EEA or the UK;

Re-use of personal data previously collected from persons in the EEA or the UK (e.g., for a previous research project) or obtaining existing personal data about persons in the EEA or the UK from other persons or units at the U of I (e.g., admissions data) for research use.

Secondary data obtained from an entity in the EEA or the UK about individuals located anywhere in the world;
Data scraped from accounts or websites of persons or entities in the EEA or the UK;
Personal data collected from collaborating researchers/parties in the EEA or the UK; or,
Plans to share any of the above outside of UIC.

* The definition of personal data as it applies to both GDPRs includes data that have been de-identified; encrypted or pseudonymized. Please click on the link above for further information.

The University of Illinois System has developed an Online GDPR Self-Assessment Tool to help you determine whether the EU and/or GDPR applies to your research.

If the tool indicates the EU and/or UK GDPR applies to your research, please include a copy of your completed Self-Assessment report with your submission documents.
Upon completion of the Self-Assessment, you will be directed (as applicable) to the corresponding GDPR consent template language. Links to these templates are found below. Appropriate template language must be incorporated into your research informed consent document prior to submission.

(Note: Responses to the Online Self-Assessment Tool are not saved in the webform. Upon completion of the report, you will be given the option to create a pdf or email the report.)

If you are using an outside vendor to process EU and/or UK GDPR-related personal data, the Online GDPR Self-Assessment tool will indicate the U of I needs to have a data protection agreement with the vendor. Similarly, if you are receiving personal data from persons or entities in the EEA and/or the UK about research subjects, you may be asked by the persons or entities providing you with the personal data to have the U of I enter into a data protection agreement. Learn more about data protection agreements here.

If you have any questions about the applicability of EU GDPR or the UK GDPR to your research, how to use the Online Self-Assessment Tool, or the GDPR Consent Templates, please contact uicirb@uic.edu.

The University Ethics and Compliance Office has created the following short video to help explain GDPR and its implications. Although it was created to address the EU GDPR specifically, the video’s explanations also generally address UK GDPR requirements in the context of the UK rather than the EEA.