GDPR Guidelines

Guidelines for General Data Protection Regulations Personal Data

This page provides information for UT Dallas personnel to comply with regulatory, policy, and contractual requirements associated with safeguarding personal data regulated by the General Data Protection Regulations (GDPR).

What are the rules for protecting GDPR personal data?

The European Union and United Kingdom have passed laws regulating the collection, processing, dissemination, and use of personal data associated with citizens of EU member states and the United Kingdom. The GDPR is concerned with the ethics and confidentiality of personal data collection and use, and organizations collecting and processing GDPR personal data for scientific or academic research must comply with the protection requirements laid out in the regulations.

You should also be aware of the UT Dallas policies and procedures that support compliance with GDPR requirements:

If you need help with navigating a data access request to an EU or UK data repository, contact exportcontrol@utdallas.edu

Who needs to follow GDPR policies and what are their responsibilities?

All UTD faculty, staff, and students must be aware of the security requirements of their research and development activities.

GDPR protection requirements apply to UT Dallas faculty, staff, and students who engage in research and development activities that require use, access, storage, or creation of GDPR personal data. All faculty, staff, and students responsible for GDPR personal data protection must complete information security training prior to accessing GDPR personal data, and at least every two years thereafter.

Principal Investigators are responsible for identifying when their research projects will involve GDPR personal data, writing and obtaining institutional approval for research compliance protocols, and ensuring the other faculty, staff, and students contributing to the project comply with GDPR protection requirements and related UT Dallas policies.

What are the security requirements and best practices for protecting GDPR data in research?

Researchers who are working with GDPR personal data must consider the confidentiality, security, and ethics of their data collection and protection practices. In addition to consent and ethical practices recorded in human subjects protocols, UT Dallas recommends that researchers implement internal controls for digital security, physical security, network security, dissemination, and destruction, which are captured in the standard data confidentiality plan.

Researchers who accept GDPR personal data from a foreign sponsor or repository may be required to implement specific safeguarding requirements by the data source. Such requirements are usually identified in the agreement or certification that is issued to UT Dallas by the data source.

How do I get UT Dallas approval to use GDPR personal data in research?

UT Dallas faculty, staff, and students must obtain approval from the UT Dallas Office of Research and Innovation before they can collect, store, or process GDPR personal data using UT Dallas information resources as part of a research project.

Researchers who intend to collect GDPR personal data in the performance of their research need to complete the following steps:

  1. Obtain institutional approval of a human subjects protocol by applying via Cayuse IRB. Approval must be obtained prior to accessing human subjects data.
  2. Identify the specific logical, physical, and personnel measures that will be used to protect the GDPR personal data in a data confidentiality plan written with ORSE.
  3. Work with ORIS or your department IT to select and configure an appropriate data storage environment .
  4. Ensure all contributing researchers have completed information security and human subjects research training, as needed.

Researchers requesting approval to obtain GDPR data from an foreign collaborator or data repository need to complete the following steps:

  1. Submit a Proposal Certification requesting a Data Use Agreement in OAR.
  2. Confirm the regulatory and security requirements imposed by the data provider and share the requirements with ORSE and OSP.
  3. Obtain institutional approval of a human subjects protocol by applying via Cayuse IRB. Approval must be obtained prior to accessing human subjects data.
  4. Write a data confidentiality plan with ORSE to document the specific logical, physical, and personnel measures that will be used to protect the GDPR personal data.
  5. Work with ORIS or your department IT to select and configure an appropriate data storage environment.
  6. Ensure all contributing researchers have completed information security and human subjects research training, as needed.

For questions or more information, contact HSP@utdallas.edu or exportcontrol@utdallas.edu.

 Where can PIs get help at UT Dallas?

Office of Sponsored Projects (OSP) or Office of Technology Commercialization (OTC) – review, negotiate and sign data use agreements for receiving GDPR personal data from a collaborating organization.

Office Research Security and Ethics (ORSE) – review research proposals and data use agreements for security requirements, provide feedback on data confidentiality plans, and support researchers to identify and secure storage for GDPR data. Provide resources and training necessary to safeguard GDPR data in compliance with regulatory requirements.

Office of Research Information Systems (ORIS) – review research proposals and data use agreements for data processing and storage needs and support researchers to identify and obtain appropriate storage for GDPR data.

Office of Human Subjects Protections (OHSP) – review GDPR data for human subjects research protections and ensure compliance with consent requirements and other safeguarding practices required for GDPR personal data used in research.

Information Security Office (ISO) – provide institutional oversight and monitoring of UT Dallas efforts to store, process, generate, and use GDPR data.

UT Dallas Resources and Forms