Why does the U of I System care about the GDPR?

The U of I System takes privacy seriously and is committed to protecting the privacy of students and employees consistent with its obligations under the law. In that regard, the EU and UK GDPRs apply not only to entities located in the European Economic Area (EEA) and the UK, respectively, but also to entities outside the EEA and the UK when they engage in certain activities. Put simply, the GDPRs state that if you want to conduct business in the EEA or the UK, you have to play by GDPR rules. Violating those rules could result in fines of up to €20 million or 4% of worldwide revenues, whichever is greater.

The EU and UK GDPRs apply to controllers (someone who determines the purposes and means of processing personal data) and processors (someone who processes data on behalf of a controller) in three circumstances (the applicable GDPR is indicated in parenthesis):

  • When they are established in the EEA (EU GDPR) or the UK (UK GDPR); or,
  • When they are not established in the EEA (EU GDPR) or the UK (UK GDPR) but they:
    • Offer goods or services to persons in the EEA (EU GDPR) or the UK (UK GDPR); or,
    • Monitor the behavior of persons in the EEA (EU GDPR) or the UK (UK GDPR).

Because the majority of our universities' activities do not take place in the EEA or the UK (although individual researchers might collect data while in the EEA or the UK), generally the types of university activities that potentially trigger GDPR requirements are those involving the offering of goods or services to persons in the EEA or the UK or where the university is monitoring their behavior. Examples of such activities could include undergraduate and graduate admissions programs, distance learning courses, study abroad, international programs (especially where participating students are from the EEA or the UK), collecting data using cookies on university websites, and research involving persons or entities in the EEA or the UK.