General Data Protection Regulation (GDPR)

It's everyone's job to protect personal data.
If you determine that you will use personal data from the EEA, follow these steps. Send questions to

COMIRB and Contracts

Step One

Complete and submit the following paperwork to COMIRB:

  • COMIRB submission package/GDPR addendum
  • Protocol Grant
  • Paperwork (if applicable)
  • List of software/services you will use
  • List of EEA organizations used for collaboration that may require a contract

Reference Material for review: COMIRB GDPR Guidance Document


Step Two

After speaking with Privacy office or COMIRB about project, if required complete the first GDPR module of the CITI training and send an email to when completed.


Step Three

GDPR Committee will contact you to review your SOP and provide recommendations to ensure GDPR is followed. SOP is finalized by the researcher.


Step Four

GDPR Committee and the responsible project lead sign an MOU. The researcher ensures this is complete.

Begin Work

Step Five

Remember that under GDPR any data related to a person ie: name, email address, thoughts, opinions, and genetic information, EVEN data that has been de-identified must be properly protected and the person's rights (notice, access, anddeletion) respected.