Alabama Data Breach Protection Act of 2018, and the European Union's Global Data Protection Regulation (GDPR)

In May 2018, the University’s Data Protection Committee distributed a survey to campus and USA Health departments inquiring as to their collection and use of personal identifying information (PII). We received over 200 responses, which were greatly appreciated. In conjunction with this survey, the Committee reviewed the Alabama Data Breach Notification Act of 2018, in effect beginning June 1,2018, and the European Union’s General Data Protection Regulation – GDPR, in effect beginning May 25, 2018. 

We have determined the GDPR primarily only impacts the academic and administrative functions of the University, with limited applicability to USA Health. Steps are being taken to meet those requirements.

The University and USA Health’s existing processes for identifying, investigating and resolving patient and/or student privacy breaches are consistent with the requirements set forth by the Alabama Data Breach Notification Act.

The text of the Alabama Data Breach Notification Act is available here, which defines what is considered “sensitive PII” under the law.

The Committee has identified additional steps that must be taken to strengthen our PII protection safeguards, including:

  1. In addition to our current focus on data breaches affecting patients and students, we must expand our scope to include potential breaches of sensitive PII of USA employees, contractors, vendors, visitors, agents, representatives, donors, etc.
  2. review current levels of access to personal information by employees and determine where we can apply the “minimum necessary” concept,
  3. compare our retention of  personal data to our data retention policy requirements to determine where we may be retaining personal data longer than necessary,
  4. review our contracts with 3rd parties to assure language is present making it clear to our business associates of their equal regulatory responsibilities, and
  5. implement and maintain reasonable security measures to protect sensitive PII against a breach.

For further information on these topics, please contact Chris Hansen, Chief Compliance Officer, at, or (251) 460-7115.