GDPR for Research and Higher Ed

Overview of the European Union’s (EU) General Data Protection Regulation (GDPR).

Questions?

Contact Us

Scroll Down Arrow

About this Course


The General Data Protection Regulation (GDPR) protects the personal data and privacy of individuals in the European Economic Area (EEA), including all European Union Member States and the three other countries that participate in the European Free Trade Association. Its broad reach means it applies to organizations and individuals in and out of the EU.

This course helps individuals gain awareness of the GDPR, understand when and how it may apply, and provides a framework for compliance with essential parts of the regulation. Case studies and examples are interwoven in the course to explain concepts and applicability.

An overview of the regulation, which discusses the essential elements of the GDPR, establishes the foundation for the course. This overview includes different categories of data and regulatory roles and when the GDPR may apply to U.S.-based organizations and researchers.

Then additional modules provide in-depth coverage on topical areas, including:

  • GDPR and Human Subjects Research Considerations
  • Legal Basis for Processing Personal Data Subject to the GDPR
  • GDPR and Data Protection Impact Assessments
  • GDPR and Consent for Data Processing in Research
  • GDPR and Organizational Duties
  • Introduction to the GDPR for U.S. Higher Education Organizations: Beyond Research

The course is designed to have all learners complete the first module, and then the additional topic-focused modules as applicable.

The Introduction to the GDPR for U.S. Higher Education Organizations can be taken on its own.

Language Availability: English

Suggested Audiences: HRPPs, Regulatory Affairs, Risk Management Officers, Contracts and Grants Officers, Higher Education Organizational Administrators, Contract Research Organizations (CROs), Compliance Officers and Departments, Privacy Officers, IRB Members and Administrators, Institutional Officials, Researchers, Sponsors

Organizational Subscription Price: $500 per year/per site
Independent Learner Price: $99 per person


Course Content


GDPR Overview New Content

This first module serves as the foundational module for the course. It discusses the important elements of the regulation, including different categories of data and regulatory roles, and when the GDPR may apply to U.S.-based organizations and researchers. Introduces important GDPR concepts such as lawful grounds for processing data and legal bases, governance requirements, individual rights, and breach notification.

Recommended Use: Required
ID (Language): 20030 (English)
Author(s): Cynthia Gates, RN, JD, CIP - University of Miami

GDPR and Human Subjects Research Considerations New Content

This topic-focused module covers scientific research and the GDPR, including researcher responsibilities as data controllers and processors. Examines when the regulation may apply to U.S.-based research, identifies potential lawful bases for processing and transferring data for research, as well as additional elements of consent required by the GDPR. Discusses GDPR issues with secondary research and using sensitive categories of personal data.

Recommended Use: Required
ID (Language): 20031 (English)
Author(s): Rubi Linares-Orozco, MAS, CHC, CCRP, CIP - City of Hope; Elizabeth Peterson, JD, CIPM - Delta Dental of Washington

Legal Basis for Processing Personal Data Subject to the GDPR New Content

This supplemental module explores the legal basis requirement from the GDPR and the limitations on an organization's ability to process personal data. Reviews categories of personal data under the GDPR, potential safeguards for processing, and documentation practices to demonstrate compliance.

Recommended Use: Required
ID (Language): 20032 (English)
Author(s): Cynthia Gates, RN, JD, CIP - University of Miami

GDPR and Data Protection Impact Assessments New Content

This module delves into the steps for conducting a data protection impact assessment (DPIA) according to the GDPR. Reviews the concept of privacy by design (PbD), discusses the roles and responsibilities of controllers, processors, and data protection officers (DPOs) for compliance with the regulation.

Recommended Use: Required
ID (Language): 20033 (English)
Author(s): Cynthia Gates, RN, JD, CIP - University of Miami

GDPR and Consent for Data Processing in Research New Content

This in-depth module describes consent for data processing per the GDPR—where consent is both a legal basis (Article 6)(1)(a)) for the prohibition on processing personal data and an exemption (Article 9(1)(a)) for processing sensitive personal data (in other words, special categories of personal data). Differentiates between informed consent to participate in research and consent for processing personal data. Considers limitations when consent is used as a legal basis for processing.

Recommended Use: Required
ID (Language): 20034 (English)
Author(s): Sara M. Stevenson, MPA - College of Charleston

GDPR and Organizational Responsibilities New Content

This module goes beyond the basic overview and reviews the organizational duties of controllers and processors under the GDPR, including obligations to maintain a record or processing activities, notify data subjects and regulators of a breach, and conduct a data protection impact assessment. Discusses the appointment and role of a data protection officer (DPO) and a representative in the EU, when applicable.

Recommended Use: Required
ID (Language): 20035 (English)
Author(s): David Babaian, JD, LLM, CIP, RAC - Advarra Consulting

Introduction to the GDPR for U.S. Higher Education Organizations: Beyond Research New Content

This module discusses how the GDPR relates to U.S. organizations of higher education. Reviews the regulation’s basic elements, identifies higher ed activities that fall under the GDPR’s scope, and reviews special categories of data and provides examples of how an organization may process the data using different legal bases. Overviews subject rights under GDPR.

Note: Organizations may elect to provide this module as standalone in courses when individuals not involved in research but who work in university areas would benefit from a review of higher education concerns.

Recommended Use: Required
ID (Language): 20036 (English)
Author(s): Ann Kristin Glenster, BFA, MFA, MEGA, LLM - University of Cambridge


FAQs


Who should take the GDPR course?

This course is designed for individuals who control or process data that may be subject to the GDPR.

How does this GDPR course fit in with other CITI Program courses?

This course supplements other CITI Program courses and provides specific training related to the regulation.

How long does it take to complete the GDPR course?

This course consists of seven modules which can be set as “required” or “supplemental.” Each module contains detailed content and quiz as well as images and case studies (when appropriate).

Modules vary in length, and learners may require different amounts of time to complete them based on their familiarity and knowledge of the topic. However, modules are each designed to take about 30 to 45 minutes to complete.

Is this course eligible for continuing medical education credits?

This course does not currently have CE/CME credits available.

How frequently should learners take this course?

This course is designed to help individuals understand the GDPR. There is no set schedule for completing this course.

It may be helpful for learners to take this course when they interact (manage, control, process, collect) with data that may be subject to the GDPR so that they have awareness and can remain in compliance with the GDPR.

What are the standard recommendations for learner groups?

A recommendation is to set the first (GDPR Overview) module as “required” and the other modules as “supplemental” for initial completion. This would help learners to understand the entire GDPR.

The Introduction to the GDPR for U.S. Higher Education Organizations: Beyond Research is designed to be a standalone module for the higher ed audience. The recommendation would be to set this module as “required” for higher ed learners and not have them complete the other modules in the course.

What are the advantages of CITI Program’s GDPR course?

This course provides specific, peer-reviewed training developed by a range of experts in GDPR. Along with CITI Program's advantages, including our experience, customization options, cost effectiveness, and focus on organizational and learner needs, this makes it an excellent choice for GDPR training.