The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how organizations collect, process, store, and transfer personal data of individuals within the EU and EEA. GDPR is designed to enhance individuals’ control and rights over their personal data and to harmonize data privacy laws across Europe.
Examples of Personal Data
Name, email address, phone number, IP address, location data, health records, identifiers like user IDs, and any data that can be linked to an identifiable person.
Key aspects of GDPR
Scope
Applies to all organizations that process personal data of individuals in the EU, regardless of whether the organization itself is based in the EU. This includes data controllers and data processors, even outside the EU, if they offer goods or services to, or monitor the behavior of, EU data subjects.
Assessment
Compliance may be assessed through internal audits, external legal reviews, and investigations by Data Protection Authorities (DPAs). Noncompliance can result in administrative fines up to €20 million or 4% of global annual turnover, whichever is higher.
Purpose
To protect the fundamental rights and freedoms of individuals, particularly their right to privacy, by establishing strict rules for how personal data should be handled and giving individuals greater transparency and control over their data.
Compliance
Organizations are required to implement appropriate technical and organizational measures to meet GDPR’s core requirements. This includes principles such as data minimization, purpose limitation, storage limitation, transparency, and accountability. Key areas include: Lawful basis for processing, Data subject rights (access, correction, deletion, portability), Consent management, Security of processing, Data protection impact assessments (DPIAs), and Data breach notification
myLaminin’s compliance with GDPR
myLaminin has conducted a comprehensive review of our platform to evaluate compliance with the General Data Protection Regulation (GDPR) as a data processor supporting research and data collaboration across academic and healthcare environments.
Based on our internal assessment, myLaminin currently supports 71% of GDPR requirements directly through our platform capabilities, technical controls, and organizational policies. These include secure data processing, user access controls, audit logging, encryption, and role-based permissions.
17% of the requirements have been tagged as the Principal Investigator’s (PI’s) responsibility, particularly those involving legal basis for data collection, participant consent, and fulfillment of data subject requests. This is because myLaminin does not exercise direct control over research processes or participant engagement; instead, we provide researchers with tools to implement their own data collection workflows, including customizable consent mechanisms and data minimization practices.
​
The remaining 9% of requirements are currently on our product roadmap, with targeted improvements aimed at enhancing data portability, automated consent verification, and self-service data access by participants. These features are prioritized to further strengthen our platform’s data protection alignment and researcher support.