Sponsored project awards may include terms and conditions that require compliance with data privacy laws, including the European Union’s General Data Protection Regulation (GDPR). When GDPR applies to a research project, specific data protection safeguards must be in place that include:
- Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists.
- Minimize the collection and processing of personal data when possible.
- Protect any personal data that the organization collects and/or uses.
- Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks, and continuously monitor the risks and the mitigation for change.
- Have a breach of notification policy, and notify authorities within 72 hours of learning of the breach.
To ensure compliance with data privacy requirements, the Office of Sponsored Programs notifies the Office of Compliance, Investigations and Ethics and Pitt Information Technology Security, who will work with the Principal Investigator (PI) on a plan that adequately protects the project data.