The European Union General Data Protection Regulation (GDPR) Effective: May 25th, 2018.
What is the GDPR? NOTE: While the GDPR is an EU regulation, it is likely to be adopted by other countries in the European Economic Area, specifically Iceland, Norway, and Lichtenstein. The UK is also likely to pass equivalent legislation after “Brexit”. An extensive data protection law designed to protect the personal data and privacy of individuals in the European Union (EU). It replaces the Data Protection Directive (95/46/EC). The GDPR is considered a comprehensive data protection regime unlike US privacy laws like FERPA, HIPAA, and the Gramm-Leach-Bliley Act, which are all considered sectoral laws.
What data? . . . (EU personal data) Like the Directive, the GDPR applies to any information related to a natural person that can be used, directly or indirectly, to identify that person – e.g.: name, photo, email address, bank details, social media posts, medical information, IP address, etc….
Why Does US Higher Ed Care Why Does US Higher Ed Care? (Or why do we care even more about the GDPR than we did about the Directive?) The GDPR’s territorial scope is broader and more defined than the Directive’s scope – it’s clear that the EU intends for the GDPR to apply to many organizations not based in, or even physical operating within, the EU. The GDPR provides EU Data Protection Authorities (DPAs) the ability to levy much steeper fines than permitted under the Directive’s implementing legislation – DPAs can impose up to the greater of 4% of annual global turnover or €20,000,000.
Why Does US Higher Ed Care Why Does US Higher Ed Care? (Or why do we care even more about the GDPR than we did about the Directive?) The GDPR affords data subjects much broader rights than the Directive – e.g., data subjects have “the right to be forgotten,” may bring causes of action directly under the GDPR, may bring claims directly against downstream processors, and claim damages even where they have "immaterial damage" as a result of an infringement. The specter of enforcement under the GDPR is pushing EU organizations to more strictly enforce requirements on downstream controllers and processors.
What is the Territorial Scope of the GDPR? The GDPR applies not only to organizations within the EU but also to organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Specifically, the GDPR applies to an organization outside the EU: “where the processing activities are related to: (a) the offering of goods or services. . . to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.” Notably, the language of the GDPR implies that it covers not only EU citizens and residents but anyone who is within the borders of the EU. A preliminary task for each IU unit is identifying where that unit collects or processes personal data from EU data subjects. The IU GDPR Working Group has developed a questionnaire to help in that process: https://iu.co1.qualtrics.com/jfe/form/SV_25WIDCKE575nnq5
Where Might the GDPR Apply to IU? Recruitment – e.g., recruiting graduate students at a recruitment fair in the EU Alumni Engagement – e.g., offering any services (including without charge) to alumni based in the EU Research – e.g., collecting personal data directly from EU residents or receiving personal data from EU institutions Dual or Joint Degree Programs with European Institutions – e.g., the joint degree program with Manchester Business School Online Degree and Non-Degree Programming Study Abroad Gateway Office / Employees or Agents working in the EU
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Notice – Typically the organization must provide a relatively detailed privacy notice with certain required information (e.g., the purposes for which the data is being processed; to whom the data will be disclosed) at the time the data is obtained from the data subject. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Data Subject Rights – Generally the organization must provide data subjects the right to view the personal data that is being maintained and have any inaccuracies rectified; also, in certain cases the organization must provide data subjects the right to have their data erased and the right to receive their data in a format that can be transferred to another organization. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Data retention – Normally the storage period must be kept to a “strict minimum” that is necessary to achieve the stated purpose; however, there are some exceptions for archival, scientific, historical, and statistical activities. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Record keeping – The organization must keep records of the purposes of the processing, the categories of personal data processed, the categories of recipients to whom the personal data has been disclosed, etc. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Security – The organization must implement relatively rigorous technical and organizational security measures and maintain a documented process for regularly testing and assessing those measures. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Consent – Data subjects often have to provide affirmative consent for the processing of their personal data unless the organization has another “lawful basis” (e.g., contractual basis; “legitimate interests” basis) for processing the data. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
If the GDPR Applies, What Requirements Must be Met? Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Breach notification –Data breaches posing a risk to “the rights and freedoms” of the data subjects must be reported to EU authorities “without undue delay” and typically no later than 72 hours after discovery. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en#legislation ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.
How is the IU GDPR Working Group There to Help? https://protect.iu.edu/gdpr Contact: gdprMay@iu.edu The GDPR Working Group can help: Advise on whether the GDPR applies to a certain situation Advise on the possible level of risk of a specific situation Provide tools and guidance on meeting the GDPR’s requirements: Templates (soon-to-be-available): consents, template privacy notice(s), template sub-processor contractual provisions, and other relevant documents, for use by IU units.