General Data Protection Regulation

The General Data Protection Regulation (GDPR) is Europe's primary data protection law, regulating how institutions protect the personal data of European Union residents.

GDPR came into effect on May 25, 2018.  All institutions, regardless of location, which provide services to EU residents, are subject to GDPR.

The General Data Protection Regulation (GDPR) is a legal framework that requires the protection of personal data and privacy of individuals who reside in the European Union (EU).

GDPR applies to any organizationregardless of its location—that is processing the personal data of individuals inside the European Economic Area (EEA). Therefore, GDPR applies to US organizations as well, if they offer goods or services (even in the absence of commercial transactions) to residents of the European Economic Area.

Personal Data

As defined in GDPR Article 4, personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

European Union (EU)

The European Union is a political and economic union of 27 member states that are located primarily in Europe.

European Economic Area (EEA)

The European Economic Area (EEA), which was established via the EEA Agreement in 1992, is an international agreement which enables the extension of the European Union (EU)'s single market to non-EU member parties.

Data Subjects

Under GDPR, a data subject is any person (residing in the European Union, irrespective of nationality) whose personal data is being collected, held or processed.

Data Processing

Any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


The data controller is a person or company that determines the purposes for which and the means by which personal data is processed.


The data processor is a person or company which processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.

GDPR contains 11 chapters and 99 articles.

From an organizational perspective, GDPR requires significant data protection safeguards be implemented and imposes a number of obligations; notable requirements include that the organization:

  • Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
  • Minimize the collection and processing of personal data whenever possible;
  • Protect any personal data that it collects and uses;
  • Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change; and
  • Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.

The George Washington University is committed to adhering to the requirements of the European Union’s (EU) General Data Protection Regulation (GDPR) through our Personal Information and Privacy policy , our privacy notice and cookie consents.

GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:

  • Access any data that an organization has collected about the individual;
  • Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
  • Correct any errors in personal data collected or processed by an organization;
  • Know how long an organization will store the individual’s personal data; and
  • Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).

Click here to submit a GDPR Data Subject request to GW.

GDPR training is available to GW staff and faculty.

Online Training:

Available to staff and faculty in [email protected]. Training links below:

For additional information or training, contact [email protected].