The General Data Protection Regulation (GDPR) is the current EU law on information privacy and data protection.
- Who at the university needs to worry about GDPR compliance?
Everyone who engages in, or provides support services to anyone who engages in, any activity related to “controlling” or “processing” personal data of GDPR-covered individuals must be involved in GDPR compliance efforts. These efforts include evaluating data and its use on campus and designing/implementing compliance policies, procedures, and best practices. Some examples of such departments include, but certainly are not limited to:
- Enrollment, admissions, and/or marketing departments may be involved in collecting and otherwise using personal data in soliciting or accepting expressions of interest and/or application materials from prospective students located in the EU.
- Similarly, human resources departments are likely doing the same with personal data of prospective employees located in the EU.
- Alumni organizations are likely collecting or otherwise using personal data of graduates who reside in, or have relocated to, the EU.
- Academic departments are likely collecting or otherwise using personal data of its members who may be permanently or temporarily located in the EU (ex: study abroad or international program faculty), or other academic colleagues located in the EU (ex: research associates, etc.)
- Distance learning departments are likely collecting or otherwise using personal data of online students located in the EU and/or faculty located in the EU who are teaching online courses.
- Finance departments are likely collecting or otherwise using personal data of individuals located in the EU for billing, collection, or procurement/contracting purposes.
- Information technology departments will have responsibility for security and data breach policies, procedures, and best practices, and for assisting other university departments with planning and implementing changes to their relevant data management systems for GDPR compliance purposes.
- When does the GDPR take effect?The GDPR went into effect May 25, 2018. Failure to be in full compliance could result in heavy fines up to 4% of the university’s global annual revenue or approximately $25 million, as well as personal damages of individuals adversely affected by noncompliance.
- Whose data does the GDPR protect?The GDPR covers personal information of all natural persons—that is, people, but not legal entities like corporations or nonprofits—physically within the EU ("EU data subjects"). The GDPR makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data.
- What constitutes personal data?“Personal data” means any information relating to an identified, or identifiable, individual covered by the GDPR. Some examples of “personal data” include name, image, identification number, location data, birth date, race/ethnicity, academic information, etc., as well as online identifiers such as IP addresses or “cookies” that can identify an individual through a device, etc.
- Do the rules only apply to EU citizens or residents?No. The rules apply to all data subject while physically located in European Union.
- What countries are part of the European Union?
Members of the European Union include:
Disclaimer: East Stroudsburg University is not a law firm and does not provide legal services or advice. This language is for informational purposes only and is subject to regular changes.