GDPR Compliance

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The regulation went into effect on May 25, 2018. Any organizations in non-compliance may face heavy fines.

To ensure that all staff of the Milken Institute and it's centers are in compliance with GDPR, this interactive training has been created to inform everyone about the new policies that have been put into place.

Personal Data

What is Personal Data?

Personal data is information that relates to an identified or identified individual. Examples of personal data are below:

  • Name
  • Address
  • Email Address
  • Phone Number
  • Employer
  • Unique ID (Salesforce or CVENT ID)
  • IP Address

If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

Identify Personal Data

Select all examples of personal information.

  • Home Address
  • Mobile Phone Number
  • Fulll Name
  • Employer

GDPR Principles

7 Key Principles

The GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Lawfulness, Fairness and Transparency

You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.


Purpose Limitation

You must be clear about what your purposes for processing are from the start.

Data Minimisation

You must ensure the personal data you are processing is:

Adequate – sufficient to properly fulfil your stated purpose;

Relevant – has a rational link to that purpose; and

Limited to what is necessary – you do not hold more than you need for that purpose.


You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.

Storage Limitation

You must not keep personal data for longer than you need it.

Integrity and Confidentiality

You must ensure that you have appropriate security measures in place to protect the personal data you hold.

Accountability Principle

You must take responsibility for what you do with personal data and how you comply with the other principles

Individual Rights

Rights for Individuals

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

Right of Access

Individuals have the right to access their personal data.

Right to Rectification

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

Right to Erasure

The GDPR introduces a right for individuals to have personal data erased.

Right to Restrict Processing

Individuals have the right to request the restriction or suppression of their personal data.

Right to Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Right to Object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

Rights to Automated Decision Making including Profiling

You can only carry out this type of decision-making where the decision is:

  • necessary for the entry into or performance of a contract; or
  • authorised by Union or Member state law applicable to the controller; or
  • based on the individual’s explicit consent.


What is Consent?

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. Consent requires a positive opt-in which means we will not use pre-ticked boxes or any other method of default consent.

Consent from individuals must be explicit which requires a very clear and specific statement of consent. In the event that the Institute is audited, we must be able to provide evidence of consent which includes:

  • Who
  • When
  • How
  • Information told to the individual

How to Get Consent

Heading 1 text goes here

Here will be information regarding how we intend to gather consent at MI.

Milken Institute Data Policy and Privacy Notice

Data Policy

Heading 1 text goes here

Data Policy would go here.

Privacy Notice

Heading 1 text goes here

Privacy Notice would go here and we would talk about the consent mechanisms that have been implemented across our systems.

How to Process Data Requests

Receiving a Data Request

Heading 1 text goes here

This would explain at a very high level what happens when a data request comes through. This will also include who will be processing the data request.