The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that protects the rights people have over their own information. It applies to personal data collected in or from the EU or EEA. UW-Madison takes data protection seriously, and data privacy principles play an important role in our data management. If our data processing activities are subject to the GDPR, we rely on robust privacy and security policies, procedures, and processes.
The following resources explain how UW-Madison implements core data protection principles across our institution.
Lawful Basis for Processing Data
Having a lawful basis means possessing a valid, justifiable reason for collecting, using, sharing, or storing personal data.
- Legal Basis Overview: Review our GDPR Privacy Notice for information regarding our legal basis for processing data. (Note: This is a general overview; other bases for processing data also exist at UW-Madison).
Purpose Limitation
Personal data should be collected for specified and explicit purposes and should not be further processed in a way that is incompatible with those original purposes.
- Governing Policy: UW System Privacy Policy
- Data Processing Activities Explanation: UW-Madison Privacy Notice
Data Minimization
We strive to limit the collection, processing, and storage of personal data strictly to what is relevant and necessary for the purpose.
- Governing Policy: UW System Privacy Policy
- Data Processing Activities Explanation: UW-Madison Privacy Notice
Accuracy
Accuracy ensures that data subjects understand what data we possess, allows them to request that we stop processing their data, and enables them to correct inaccurate data.
- Data Subject Rights: Information provided to data subjects can be found in our GDPR Privacy Notice.
Storage Limitation
Storage limitation means keeping information for no longer than necessary.
- Records Management: We promulgate Records Retention Schedules and Disposition schedules.
Integrity and Confidentiality
We maintain a comprehensive institutional policy library enumerating our IT security protocols at policy.wisc.edu. Key policies include:
- Access & Credentials: Access Control Services | IT Credentials
- Data Security: Restricted Data Security Management | Storage and Encryption
- Network & Infrastructure: Cybersecurity Risk Management | Network Firewall | Endpoint Management and Security | Vulnerability Scanning
- Incident & Disposal: Incident Reporting and Response | Media and Device Disposal and Reuse
Data Privacy Protection & Accountability
We can demonstrate compliance with GDPR where relevant. Privacy impact assessments help us identify, assess, and mitigate privacy risks to protect individuals and the institution.
- Privacy Risk Reviews: We conduct Data Privacy Impact Assessments as needed.
- Accountability Resources: General Data Privacy Regulation (GDPR) – Investigator Manual