The General Data Protection Regulation (GDPR) was adopted in 2016 by the European Union (EU) to
strengthen data protection procedures and practices and expand the personal privacy rights of EU
residents. The regulation is legally binding across all 28-member states of the EU. The regulation
extends beyond territorial boundaries and applies to all entities that offer goods and services to EU
data subjects (a person physically in the EU) regardless of the entity’s physical presence within the EU.
The regulation went into effect on May 25, 2018.
What is the purpose of the GDPR?
The main purpose of GDPR is to give EU residents greater control over how their personal data is
collected, stored, used, and protected, as well as its destruction once it is no longer needed. The GDPR
evolved from the EU’s earlier directive of 1995, known as the Data Protection Directive, which set to
retain an individual’s right of ownership over their personal data, including after they have shared it with
an organization.
Must Fordham University comply with the GDPR?
Fordham University must comply with the GDPR. The regulation applies to Fordham because it processes
data subjects’ personal data in the EU when offering them goods or services. Fordham has students
and staff at the London Centre and has students and staff participating in programs, research, and
internships in member states of the EU. Additionally, Fordham markets to EU residents and retains their
personal data in its own systems and in those managed by third parties.
What happens if non-compliance is discovered?
Organizations that do not comply with the GDPR could face a maximum fine of €20 million or 4% of its
worldwide revenue, whichever is greater. A 2% or €10 million fine will be charged for lesser infringements.
A non-compliant organization will also be subjected to regular, periodic data protection audits to ensure its
policies and procedures are updated and sustain GDPR compliance. Additionally, the media coverage
following a non-compliance finding could cause significant reputational damage.