GDPR for Research and Higher Ed

Overview of the European Union’s (EU) General Data Protection Regulation (GDPR).

Questions? Contact Us
Scroll Down Arrow


About this Course

The General Data Protection Regulation (GDPR) protects the personal data and privacy of individuals in the European Economic Area (EEA), including all European Union Member States and the three other countries that participate in the European Free Trade Association. Its broad reach means it applies to organizations and individuals in and out of the EU. The broad reach of the GDPR is of special consideration to research and higher education institutions that process personal data. This personal data often includes information which is connected to an identified or identifiable data subject.

This course helps individuals determine the broad reach of the GDPR, review how and when the regulation may apply, and examine a framework for compliance with the GDPR. Throughout the modules, learners will utilize case study examples of the GDPR to demonstrate appropriate action.

The foundation of the course is established through an overview of the regulation and discusses essential components of the GDPR. This overview includes different categories of data and regulatory roles and when the GDPR may apply to U.S.-based organizations and researchers.

Then additional modules provide in-depth coverage on topical areas, including:

  • GDPR and Human Subjects Research Considerations
  • Legal Basis for Processing Personal Data Subject to the GDPR
  • GDPR and Data Protection Impact Assessments
  • GDPR and Consent for Data Processing in Research
  • GDPR and Organizational Duties
  • Introduction to the GDPR for U.S. Higher Education Organizations: Beyond Research

The course is designed to have all learners complete the first module, and then the additional topic-focused modules as applicable.

The Introduction to the GDPR for U.S. Higher Education Organizations can be taken on its own.

Language Availability: English

Suggested Audiences: Compliance Officers and Departments, Contract Research Organizations (CROs), Contracts and Grants Officers, Higher Education Organizational Administrators, HRPPs, Institutional Officials, IRB Members and Administrators, Privacy Officers, Regulatory Affairs, Researchers, Risk Management Officers, Sponsors

Organizational Subscription Price: $500 per year/per site
Independent Learner Price: $99 per person

Demo Instructions


Course Content

GDPR Overview

This first module serves as the foundational module for the course. It discusses the important elements of the regulation, including different categories of data and regulatory roles, and when the GDPR may apply to U.S.-based organizations and researchers. Introduces important GDPR concepts such as lawful grounds for processing data and legal bases, governance requirements, individual rights, and breach notification.

Recommended Use: Required
ID (Language): 20030 (English)
Author(s): Cindy Gates, JD, RN, CIP - University of Miami

GDPR and Human Subjects Research Considerations

This topic-focused module covers scientific research and the GDPR, including researcher responsibilities as data controllers and processors. Examines when the regulation may apply to U.S.-based research, identifies potential lawful bases for processing and transferring data for research, as well as additional elements of consent required by the GDPR. Discusses GDPR issues with secondary research and using sensitive categories of personal data.

Recommended Use: Required
ID (Language): 20031 (English)
Author(s): Rubi Linares-Orozco, MAS, CIP, CCRP, CHC - City of Hope; Elizabeth Peterson, JD, CIPM - Delta Dental of Washington

Legal Basis for Processing Personal Data Subject to the GDPR

This supplemental module explores the legal basis requirement from the GDPR and the limitations on an organization's ability to process personal data. Reviews categories of personal data under the GDPR, potential safeguards for processing, and documentation practices to demonstrate compliance.

Recommended Use: Required
ID (Language): 20032 (English)
Author(s): Cindy Gates, JD, RN, CIP - University of Miami

GDPR and Data Protection Impact Assessments

This module delves into the steps for conducting a data protection impact assessment (DPIA) according to the GDPR. Reviews the concept of privacy by design (PbD), discusses the roles and responsibilities of controllers, processors, and data protection officers (DPOs) for compliance with the regulation.

Recommended Use: Required
ID (Language): 20033 (English)
Author(s): Cindy Gates, JD, RN, CIP - University of Miami

GDPR and Consent for Data Processing in Research

This in-depth module describes consent for data processing per the GDPR—where consent is both a legal basis (Article 6)(1)(a)) for the prohibition on processing personal data and an exemption (Article 9(1)(a)) for processing sensitive personal data (in other words, special categories of personal data). Differentiates between informed consent to participate in research and consent for processing personal data. Considers limitations when consent is used as a legal basis for processing.

Recommended Use: Required
ID (Language): 20034 (English)
Author(s): Sara Stevenson, MPA - College of Charleston

GDPR and Organizational Responsibilities

This module goes beyond the basic overview and reviews the organizational duties of controllers and processors under the GDPR, including obligations to maintain a record or processing activities, notify data subjects and regulators of a breach, and conduct a data protection impact assessment. Discusses the appointment and role of a data protection officer (DPO) and a representative in the EU, when applicable.

Recommended Use: Required
ID (Language): 20035 (English)
Author(s): David Babaian, JD, LLM, CIP, RAC - Advarra Consulting

Introduction to the GDPR for U.S. Higher Education Organizations: Beyond Research

This module discusses how the GDPR relates to U.S. organizations of higher education. Reviews the regulation’s basic elements, identifies higher ed activities that fall under the GDPR’s scope, and reviews special categories of data and provides examples of how an organization may process the data using different legal bases. Overviews subject rights under GDPR.

Note: Organizations may elect to provide this module as standalone in courses when individuals not involved in research but who work in university areas would benefit from a review of higher education concerns.

Recommended Use: Required
ID (Language): 20036 (English)
Author(s): Ann Kristin Glenster, BFA, MFA, MEGA, LLM - University of Cambridge