EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) requires security measures for processing data relating to an identified or identifiable individual located in the EEA, that is, the European Union, Iceland, Liechtenstein or Norway, when such data is acquired in connection with either offering goods or services targeted to persons in the EEA or monitoring the behavior of such persons (GDPR Processing). Harvard units or programs must comply with the GDPR when conducting GDPR Processing. The GDPR requires that security measures be appropriate in light of the potential risks to the affected individuals, taking into account the scope and purposes of such processing and the nature of the data. The GDPR identifies the following categories of data as meriting special protection: identifiable personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or containing genetic, biometric or health data or data concerning sex life or sexual orientation, and criminal convictions and offenses. Identifiable genetic, biometric and health data are Level 4 data, to be handled accordingly. The other types of GDPR sensitive data listed above should be treated as Level 3 data when subjected to GDPR Processing, except when the data has been made public or otherwise widely shared by the relevant individual. Any GDPR Processing of such sensitive data should comply with the GDPR’s Articles 9 and 10.


Examples: Information a French applicant for admissions shares confidentially in their admissions essay about their religion should be treated as Level 3 data. Information about an individual’s political beliefs the individual shares widely in a blog post online would not require special protections.
Note on pseudonymized data: Under the GDPR, pseudonymized data collected in a research project that is within the scope of the GDPR must be treated as identifiable, and therefore sensitive data as described above will be subject to Level 3 or 4 protection as the case may be, even if it is pseudonymized and the Harvard researchers do not have access to the data keys.


Harvard's GDPR Resource Website