GDPR Goes Live on May 25

Posted on: May 30, 2018

The European Union’s General Data Protection Regulation (GDPR) comes into force on Friday, 25th May 2018. According to the European Commission, the GDPR “regulates the processing by an individual, a company, or an organization, of personal data relating to individuals in the EU.”

But wait. I thought we were in the US, not the EU?

We are. However, the GDPR applies to any person who is present in an EU member state. EU citizens living outside of the EU may not be protected by the GDPR, but EU citizens and foreign nationals living in the EU fall under its protection. For the purposes of the GDPR, the EU does not distinguish between EU citizens, residents, or anyone else located in the EU. It uses the term “Data Subject” to refer to any EU-based person, about whom data is collected. Therefore, GDPR may apply to a JMU international student who has gone home for the summer, or a JMU student currently studying abroad, or an EU-based individual whom a JMU researcher wishes to use as research subjects, and so on.

So this is why many US companies are striving to bring their data policies into compliance with the GDPR?

Yes, many leading US companies have come to the conclusion that it’s far easier to have a general GDPR-compliant policy, rather than separate policies for EU and US (or worldwide excluding the EU) customers.

What does the GDPR do, anyway?

The European Commission states that the GDPR is designed to confer the following benefits:

  • “The right to be forgotten” – deletion of data, if requested by its subject
  • “Easier access to one’s data” – people will have more information about how data concerning them is processed
  • “The right to know when one’s data has been hacked”
  • “Data protection by design and default” – data protection must be an inherent part of data collection at all stages of the process

What about the British, aren’t they leaving the EU?

Perhaps. But for now, the UK remains in the EU and subject to the GDPR. In 2017 the UK government announced that it will include the provisions of the GDPR in UK domestic law after BREXIT, so the effect will be the same in the UK, irrespective of BREXIT.

But are universities “organizations” under the GDPR?

Although the language of the GDPR often refers to “customers,” European universities have been extremely proactive in ensuring GDPR compliance. Remember, if the “Data Subjects” are present in the EU, the fact that JMU is in the US makes no difference.

Where can I learn more about the GDPR at JMU?


Yasmeen Shorish, Data Services Coordinator, Libraries & Educational Technologies:

Howard S. Carrier, Social Sciences Librarian & Copyright Coordinator, Libraries & Educational Technologies:

Where can I learn more about the GDPR, and how it impacts institutions of higher education?

The following resources may be helpful:

European Commission. (2018). 2018 reform of EU data protection rules. Retrieved from

Faitelson, Y. (2017). Yes, the GDPR will affect your US-based business. Forbes. Retrieved from

Grama, J. (2018). 7 things you should know about GDPR. EDUCAUSE. Retrieved from

Jisc. (2017). A year to get your act together: how universities and colleges should be preparing for new data regulations. Retrieved from

Categorised in: