General Data Protection Regulation (GDPR) Compliance

The General Data Protection Regulation (GDPR), which formally took effect May 25, 2018, is intended to affect organizations worldwide, including universities. The GDPR:

    • Replaces the Data Protection Directive 95/46/ec as the primary law regulating how companies and organizations protect the personal data of European Union (EU) residents.
    • Expands personal privacy rights for EU residents and also affects non-EU citizens located in the EU.
    • Mandates a baseline set of standards for organizations that handle certain personal and other data of individuals located in the EU to better safeguard the processing and movement of that data.
    • Applies to institutions with no physical EU presence if they control or process covered information (irrespective of whether the subject individuals are EU citizens).
    • Calls for fines of up to 4% of annual global turnover, or 20 million euros, whichever is more, for violations of the regulation.


University of Toledo is developing a risk-based GDPR compliance program, specifically designed to enhance the existing robust privacy infrastructure at UT. The University Data Protection Officer created an interdisciplinary working group to develop an ongoing, sustainable GDPR compliance program. The work includes but not limited to:

    • Assessing how GDPR affects UT programs;
    • Developing tools and templates to assist UT programs with GDPR compliance;
    • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals; and,
    • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UT.


GDPR explicitly confers numerous rights upon data subjects located in the EU, and requires covered organizations to put significant safeguards in place regarding the use and processing of personal data of EU subjects.  Personal data is defined very broadly under GDPR, and consists of any information relating to an identified or identifiable person.

Personal Identifiable Information 

Personal Identifiable Information consists of any information relating to an identified or identifiable person and includes a person’s name, identification number, location data, online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person. Specific examples include but are not limited to:

    • Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
    • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
    • Telephone numbers
    • Fax number
    • Email address
    • Social Security Number
    • Medical record number
    • Health plan beneficiary number
    • Account number
    • Certificate or license number
    • Any vehicle or other device serial number
    • Web URL
    • Internet Protocol (IP) Address
    • Finger or voice print
    • Photographic image - Photographic images are not limited to images of the face.
    • Any other characteristic that could uniquely identify the individual.


University of Toledo Web Privacy Statement
University of Toledo Frequency Asked Questions
Official EU Commission Site EU Data Protection website.
GDPR: Key Issues (Intersoft Consulting)
GDPR: Interactive Whiteboard (Tech Privacy)

Data Protection Officer (DPO)
William McCreary, Vice President, Chief Information Officer and Chief Technology Officer

Have a question about the GDPR?

Last Updated: 6/27/22