Skip to main content

The GDPR replaces the Data Privacy Directive 95/46/EC and was created to harmonize data privacy laws across the European Union (“EU”). The GDPR is designed to protect the privacy of data concerning a natural person that is collected or processed in, or transferred out of, the EU, and to regulate entities that offer goods or services in the EU.

The GDPR defines “personal data” very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.

The GDPR requires enhanced compliance, governance, and accountability pertaining to organizations involved in the processing of “personal data.”

This regulation became effective May 25, 2018, and its expanded scope comes in tandem with the potential for significantly increased penalties for non-compliance, such as the higher of 4% of an organization’s global turnover or €20,000,000.

Also, the GDPR is not limited to companies or universities operating in the EU alone. In fact, it’s expressly drafted to apply in an extraterritorial context where certain conditions are met.

UCF has a GDPR Workgroup with members from Information Security, University Compliance, Ethics, and Risk and the Office of the General Counsel actively reviewing this European law and working on internal university compliance processes. The GDPR Workgroup will make resources available to the university community as we learn more and when appropriate.

You may also e-mail questions to Please watch for more information and feel free to review the resources below.

More Resources