General Data Protection (GDPR)


The GDPR is a European Law that establishes stronger rules for data protection.  The regulation applies to any organization, regardless of physical location, that processes data associated with anyone residing in the 28 member states of the EU and Iceland, Liechtenstein, and Norway.  GDPR is designed to give individuals better control over their personal data.  Information that relates to a person, who can be identified directly or indirectly, is personal data.  Some examples are as follows: birth dates, telephone numbers, email address, account numbers, IP address, cookies, race, sexual life or orientation, political opinions, religious, or philosophical beliefs.  GDPR considers pseudonymised data personal data. 
Under GDPR, individuals will be able to withdraw consent at any time and have the right to be forgotten.  Their data must be erased if it is no longer required for the reasons it was collected.  When obtaining information from an individual who resides in the EU, certain elements such as access to our privacy policies, types of identifiers collected, purpose of the data collection, and how long records will be retained must be stated in the consent form. 
For questions regarding IRB and GDPR, please contact Elizabeth Cadarette at


For other GDPR questions related to research, please contact Debra Keppler at