EU Adopts New Data Privacy Regulations

June 1, 2018

The European Commission has approved a new set of data protection regulations – the General Data Protection Regulation (GDPR). The regulations were officially adopted on April 27, 2016 and went into effect on May 25, 2018. 

Some of the key provisions are as follows:

  1. Extraterritorial Application:  The most significant departure from current EU data protection requirements is the application of the GDPR to organizations that are located outside the EU that process personal data in relation to the offer of goods and services to individuals inside the EU, or a result of monitoring individuals within the EU. 
  2. Expanded Definition of “Personal Data”: The GDPR will expand the definition of “personal data” to include unique online identifiers, including IP addresses, mobile device IDs, and unique biometric data, such as fingerprints, retina scans and genetic data.
  3. Fines for Noncompliance:  The maximum fine for a breach of the GDPR will be 4% of the entity’s total revenue or €20M per infringement, whichever is greater.
  4. Data Breach Notification:  Covered organizations will be required to notify the relevant European data protection authority of a breach within 72 hours.  Also, notification to affected individuals must take place “without undue delay.”
  5. Individuals Rights to Personal Data:  Individuals will have the right to have their personal information removed from systems or online content (right to be forgotten) and the right to obtain a copy of the personal data relating to them transmitted to another party (right to data portability).

Many of MIT’s regular activities, such as distance and online learning, MISTI, study abroad programs, research collaboration, as well as the information MIT collects about current and prospective students, alumni, and donors may be subject to GDPR regulations.  The Offices of the General Counsel (OGC) and Risk Management & Compliance Services (RMCS) are continuing to assess MIT’s compliance obligations with the GDPR.  If you believe that your department, lab or center collects personal data from individuals in the EU and may be impacted by the new regulations, please contact Jason Baletsa, 617.253.4466 or jbaletsa@mit.edu or Kate Miller, 617.324.1893 or kkmiller@mit.edu.   For more information, there is a GDPR compliance website, located at https://riskandcompliance.mit.edu/compliance/gdpr.