General Data Protection Regulation (GDPR)

It's everyone's job to protect personal data.
If you determine that you will use personal data from the EEA, follow these steps. Send questions to

COMIRB and Contracts

Step One

Complete and submit the following paperwork to COMIRB:

  • COMIRB Application
  • Protocol (identify involved EEA organizations)
  • Grant/Contract (if any)

Reference Material for review: COMIRB GDPR Guidance Document


Step Two

COMIRB or a member of the GDPR Committee will contact you to develop an SOP for managing and protecting your GDPR data. To ensure GDPR is followed, the SOP will specify how data will be transferred, stored, and used, who will have access, list the software services you will use, etc.


Step Three

CITI Training: After speaking with the Privacy office or COMIRB about your project, complete the first module (“GDPR Overview”) of the CITI “GDPR for Research and Higher Ed” course and send an email to when completed.


Step Four

The GDPR Committee will review the project and documentation. If approved, the PI will be asked to sign the SOP, COMIRB can complete their review, and any contractual agreements will be finalized.

Begin Work

Step Five

Remember that under GDPR any data related to a person, e.g.: name, email address, thoughts, opinions, and genetic information, EVEN data that has been de-identified must be properly protected and the person's rights (notice, access, and deletion) respected.

CMS Login