Presentation is loading. Please wait.

Presentation is loading. Please wait.

The European Union General Data Protection Regulation (GDPR)

Published byEleanor Horn Modified over 5 years ago

Similar presentations

Presentation on theme: "The European Union General Data Protection Regulation (GDPR)"— Presentation transcript:

1 The European Union General Data Protection Regulation (GDPR)
Effective: May 25th, 2018.

2 What is the GDPR? NOTE: While the GDPR is an EU regulation, it is likely to be adopted by other countries in the European Economic Area, specifically Iceland, Norway, and Lichtenstein. The UK is also likely to pass equivalent legislation after “Brexit”. An extensive data protection law designed to protect the personal data and privacy of individuals in the European Union (EU). It replaces the Data Protection Directive (95/46/EC). The GDPR is considered a comprehensive data protection regime unlike US privacy laws like FERPA, HIPAA, and the Gramm-Leach-Bliley Act, which are all considered sectoral laws.

3 What data? . . . (EU personal data)
Like the Directive, the GDPR applies to any information related to a natural person that can be used, directly or indirectly, to identify that person – e.g.: name, photo, address, bank details, social media posts, medical information, IP address, etc….

4 Why Does US Higher Ed Care
Why Does US Higher Ed Care? (Or why do we care even more about the GDPR than we did about the Directive?) The GDPR’s territorial scope is broader and more defined than the Directive’s scope – it’s clear that the EU intends for the GDPR to apply to many organizations not based in, or even physical operating within, the EU. The GDPR provides EU Data Protection Authorities (DPAs) the ability to levy much steeper fines than permitted under the Directive’s implementing legislation – DPAs can impose up to the greater of 4% of annual global turnover or €20,000,000.

5 Why Does US Higher Ed Care
Why Does US Higher Ed Care? (Or why do we care even more about the GDPR than we did about the Directive?) The GDPR affords data subjects much broader rights than the Directive – e.g., data subjects have “the right to be forgotten,” may bring causes of action directly under the GDPR, may bring claims directly against downstream processors, and claim damages even where they have "immaterial damage" as a result of an infringement. The specter of enforcement under the GDPR is pushing EU organizations to more strictly enforce requirements on downstream controllers and processors.

6 What is the Territorial Scope of the GDPR?
The GDPR applies not only to organizations within the EU but also to organizations outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. Specifically, the GDPR applies to an organization outside the EU: “where the processing activities are related to: (a) the offering of goods or services. . . to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.” Notably, the language of the GDPR implies that it covers not only EU citizens and residents but anyone who is within the borders of the EU. A preliminary task for each IU unit is identifying where that unit collects or processes personal data from EU data subjects. The IU GDPR Working Group has developed a questionnaire to help in that process:

7 Where Might the GDPR Apply to IU?
Recruitment – e.g., recruiting graduate students at a recruitment fair in the EU Alumni Engagement – e.g., offering any services (including without charge) to alumni based in the EU Research – e.g., collecting personal data directly from EU residents or receiving personal data from EU institutions Dual or Joint Degree Programs with European Institutions – e.g., the joint degree program with Manchester Business School Online Degree and Non-Degree Programming Study Abroad Gateway Office / Employees or Agents working in the EU

8 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Notice – Typically the organization must provide a relatively detailed privacy notice with certain required information (e.g., the purposes for which the data is being processed; to whom the data will be disclosed) at the time the data is obtained from the data subject. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

9 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Data Subject Rights – Generally the organization must provide data subjects the right to view the personal data that is being maintained and have any inaccuracies rectified; also, in certain cases the organization must provide data subjects the right to have their data erased and the right to receive their data in a format that can be transferred to another organization. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

10 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Data retention – Normally the storage period must be kept to a “strict minimum” that is necessary to achieve the stated purpose; however, there are some exceptions for archival, scientific, historical, and statistical activities. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

11 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Record keeping – The organization must keep records of the purposes of the processing, the categories of personal data processed, the categories of recipients to whom the personal data has been disclosed, etc. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

12 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Security – The organization must implement relatively rigorous technical and organizational security measures and maintain a documented process for regularly testing and assessing those measures. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

13 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Consent – Data subjects often have to provide affirmative consent for the processing of their personal data unless the organization has another “lawful basis” (e.g., contractual basis; “legitimate interests” basis) for processing the data. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

14 If the GDPR Applies, What Requirements Must be Met?
Some of the more significant requirements include: Notice | Data subject rights | Data retention | Record keeping | Security | Consent | Breach notification Breach notification –Data breaches posing a risk to “the rights and freedoms” of the data subjects must be reported to EU authorities “without undue delay” and typically no later than 72 hours after discovery. (NOTE: The official English text of the GDPR is 88 pages long; it can be found at ) The GDPR also requires an organization to impose similar requirements on third-party processors (e.g., vendors) who process GDPR personal data on the organization’s behalf.

15 How is the IU GDPR Working Group There to Help?
Contact: The GDPR Working Group can help: Advise on whether the GDPR applies to a certain situation Advise on the possible level of risk of a specific situation Provide tools and guidance on meeting the GDPR’s requirements: Templates (soon-to-be-available): consents, template privacy notice(s), template sub-processor contractual provisions, and other relevant documents, for use by IU units.

Download ppt "The European Union General Data Protection Regulation (GDPR)"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Key changes with the GDPR

Key changes with the GDPR
General Data Protection Regulations: The Key Changes

General Data Protection Regulations: The Key Changes
GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation)
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
International Regulatory Trends

International Regulatory Trends

Similar presentations

Ads by Google