Home / Compliance & Regulations / GDPR Compliance

European Union General Data Protection Regulation (GDPR) Compliance

What is the GDPR? The General Data Protection Regulation (GDPR) is a privacy law that is interpreted and enforced by all countries in the EU (and Switzerland). The GDPR became effective in May 2018. It is based on the premise that each person has the fundamental right to control their personal data and how it is used.

GDPR Expands the Definition of Personal Data

Personal Data means any information that can identify a person, directly or indirectly, such as a name, birthdate, address, id number, location data, IP address, or a factor specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

The GDPR provides extra protection to some personal data such as: racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic data; biometric data; health data; and sex life or sexual orientation.

NOTE: The GDPR protects data that ASU could otherwise share, e.g., names, email addresses, and birth dates.

GDPR Applications List

The current list of GDPR applications can be viewed here.

How to Drive a Culture of Privacy at ASU – Privacy by Design and Default

  • Collect only personal data that ASU truly needs, and keep it only as long as necessary 
  • Clearly communicate what data is being collected and how it will be used 
  • Obtain and track consent from each data subject 
  • Anonymize or pseudonymize personal data before sharing, transmitting, or storing 
  • Limit access to personal data, both within and outside of ASU 
  • Use secure systems, networks, programs, and devices 
  • Require third parties (vendors and contract partners) to use information security best practices  
  • Only use marketing or tracking cookies with consent 
  • Do not pre-check “yes” or automatically opt in anyone on any personal data use consents 
  • Ensure third parties have obtained necessary consents before purchasing personal data from them