The General Data Protection Regulation (GDPR) requires security measures for processing data relating to an identified or identifiable individual located in the European Union, Iceland, Liechtenstein or Norway (GDPR Processing). Harvard units or programs must comply with the GDPR when conducting GDPR Processing. The GDPR requires that security measures be appropriate in light of the potential risks to the affected individuals, taking into account the scope and purposes of such processing and the nature of the data. The GDPR identifies the following categories of data as meriting special protection: identifiable personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or containing genetic, biometric or health data or data concerning sex life or sexual orientation, and criminal convictions and offenses. Identifiable genetic, biometric and health data are Level 4 data, to be handled accordingly. The other types of GDPR sensitive data listed above should be treated as Level 3 data when subjected to GDPR Processing, except when the data has been made public or otherwise widely shared by the relevant individual. Any GDPR Processing of such sensitive data should comply with the GDPR’s Articles 9 and 10.
Examples: Information a French applicant for admissions shares confidentially in their admissions essay about their religion should be treated as Level 3 data. Information about an individual’s political beliefs the individual shares widely in a blog post online would not require special protections.