LBL and GDPR

Berkeley Lab is aware of the European General Data Protection Regulation or GDPR and is working with UC legal counsel, in coordination with the campuses, on longer term efforts to analyze situations where the rule may be applicable to specific University functions.

LBL General Counsel and IT intend to provide additional guidance to the Laboratory when UC's GDPR implementation plans are finalized.

If you have questions, please email: privacy@lbl.gov 


FAQ Below:

Background

The European Union General Data Protection Regulation (GDPR) is effective as of May 25, 2018.

  • What is it? GDPR is an EU regulation designed to protect the privacy rights of individuals in the European Economic Area (EEA), which includes the European Union Iceland, Norway, and Lichtenstein. It is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations.
  • What does it do?
    • GDPR expands privacy rights for individuals located in the EEA Specifically, it guarantees certain rights, depending on how the data is used:
      • The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
      • The right to make informed decisions regarding the use and disclosure of the data;
      • The right to access the data; and
      • The right to have the data returned or deleted.
    • It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:
      • Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards;
      • Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad);
      • Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.
  • Who does it apply to? GDPR applies to organizations that are established in the EEA (for example, a study center in Europe). It also applies to organizations not physically in the EEA when goods or services are offered to individuals in the EEA (e.g., applications for admissions), or monitor the behavior of individuals in the EEA (e.g., research that includes EU citizens).
  • Are there penalties for non-compliance? Yes, GDPR imposes significant monetary penalties for organizations that do not comply with the regulation.

UC GDPR Compliance Program

What is the University of California (UC) doing to prepare for GDPR? UC’s compliance, privacy and informational technology functions are working together to develop an effective GDPR compliance program. This program is specifically designed to enhance the existing robust privacy infrastructure at UC to ensure compliance with this new regulation. Program activities include:

  • Assessing how GDPR will affect UC programs
  • Developing tools and templates to assist UC programs with GDPR compliance
  • Developing communication tools to provide greater transparency to UC students, employees and other UC program participants regarding the collection and use of personal data
  • Ensuring that appropriate physical and technical safeguards are in place to protect the personal data of individuals
  • Working with our partners and vendors to ensure that data protections are maintained when personal data is transferred outside UC

LBL Laboratory Counsel and IT Division are working to implement the UC GDPR Program at the Laboratory.