Stanford readies for new EU privacy regulations

New data protection regulations will go into effect May 25 in European Union countries and will affect offices throughout the university, including Bing Overseas Study Program sites in the EU. The new law affects how any business, including a university, collects, uses or stores personal data.

On Friday, May 25, a new data protection law will go into effect that applies to any business – including universities like Stanford – that collects, uses or stores personal data of people located in a European Union country.

Wendi Wright, chief privacy officer, Stanford University

Wendi Wright is Stanford’s chief privacy officer. (Image credit: L.A. Cicero)

Called the General Data Protection Regulation (GDPR), the law requires that businesses that process “personal data” from people located in the EU do so in a lawful and transparent way that protects that data. GDPR puts the individual’s privacy rights at the forefront of the regulation, requiring businesses to provide clear and detailed notice to individuals on how their personal data will be used.

Wendi Wright, Stanford’s chief privacy officer, explains the ramifications of GDPR and answers questions about its implications for Stanford.


What is the General Data Protection Regulation that is about to go into effect across the European Union?

The European Union General Data Protection Regulation, or GDPR, is a new and substantial data privacy law that is relevant to 33 countries in the EU and European Economic Area. GDPR applies to individuals and organizations handling personal data within the EU, transferring data into and out of the EU, and processing of EU data anywhere. It is effective as of May 25, 2018.


How does it affect Stanford?

Stanford as an educator, employer and research institution collects and processes personal data from around the world on a regular basis. When we are collecting and processing data from people located in the EU – regardless of citizenship or residency – during the course of offering goods or services, marketing, or by one of our sites established in the EU, we fall within GDPR and must meet the regulatory requirements.


What kind of information is protected under GDPR?

The GDPR protects personal data of people located in the EU. Personal data includes some obvious types of information like name, address, health information and IP address. But it also includes information related to race or ethnicity, religion or philosophical beliefs, and sexual orientation. This is because, in the EU, protection of personal data is considered a fundamental right of the individual.


Can you give a specific example of how the GDPR might affect a particular function at Stanford?

A good example is the Bing Overseas Study Program (BOSP), which has five sites in the EU. Those sites have staff, contractors, faculty and, of course, students all in the EU. Even if personal data was never transferred outside of the EU by BOSP, the sites are still established in the EU, making them subject to GDPR. Another example is a research study where there will be data subjects from the EU. We must ensure that our informed consent form meets EU regulatory requirements, as well as U.S. requirements like the Common Rule, otherwise known as the Federal Policy for the Protection of Human Subjects.


How has the university responded to the upcoming changes?

In August 2017, the University Privacy Office convened a multi-disciplinary task force to begin reviewing and assessing GDPR and its impact on the university. Through our GDPR Task Force and its seven working groups, we have:

  • Engaged in data mapping
  • Conducted a gap assessment
  • Prioritized our compliance efforts
  • Developed new privacy notices and policies
  • Amended consent language in admissions, financial aid, human resources and research
  • Updated contractual language
  • Developed a training video for the university

This is an ongoing effort for us, as this is a new law and everyone – including the European regulators – is still learning how to achieve compliance.


Is the university prepared for the change?

I think that we are well situated for May 25, and that is due primarily to the efforts of the GDPR Task Force. The GDPR Task Force has more than 100 members across the university and has been incredibly responsive, supportive and creative over the last nine months.


What are the consequences for entities that fail to comply?

  • Fines of up to €20,000,000 (about $23.4 million) or 4 percent of total worldwide yearly revenues, whichever is higher
  • Inability to transfer data from the EU
  • Inability to collaborate with entities that comply with GDPR
  • Private claims from data subjects
  • Heightened scrutiny from data protection authorities

These consequences could have a substantial effect on the university in terms of reputation and achieving our core mission.


What are likely to be the consequences for the way Stanford communicates with alumni or prospective students located in EU countries?

We have updated the official Online Privacy Policy and Offline Privacy Policy. Both of those provide notice about what types of personal data we collect for what purposes, and the online policy includes a cookie-use section. We have also updated our consent language for admissions and financial aid to meet EU requirements.


If you have questions about compliance with the General Data Protection Regulation, email

See also “Data privacy: New EU laws coming in May,” featuring Albert Gidari, director of privacy at the Center for Internet & Society at Stanford Law School.