By Jesse Drake
What is the GDPR?
The GDPR is, in a word, complex. Broadly, it's a stringent set of reforms around how organizations in the European Union (EU) collect and use personal data, meant to bolster consumers' data privacy and consent rights. It's directed at 28 countries in the EU and three additional countries that comprise the European Economic Area (EEA). Violating the GDPR carries stiff penalties.
While aimed specifically at organizations in EU member-states, it impacts any entity outside of the EU that offers goods or services to EU-based customers or businesses.
What the GDPR means at the U
Since the GDPR went into effect, Rudy Matthes, risk analyst in the Governance, Risk & Compliance (GRC) group in UIT’s Information Security Office (ISO), has been meeting with the deans of various colleges at the university. Matthes, who oversees inherent risk process at the U, explains what the new data protection framework is, how it applies here, and what support and resources are available. GDPR-related complaints, which have been few, are handled on a case-by-case basis. On campus, the process involves ISO and the Office of General Counsel (OGC); on the hospital side, it involves U Health's Information Privacy Office.
It's important to note, Matthes said, that the University of Utah requires personal information only when necessary. U.S. colleges and universities are prohibited from selling student information or requesting social media account information from students. Learn more in this EDUCAUSE article, and read the U’s official Privacy Statement.
Matthes said the other key thing to understand is that the GDPR applies only to those physically present in the EU.
"If you are there, you have those rights. That's the huge caveat," he said.
In business or academia, GDPR defines three basic roles in data transactions:
The subject (who the data relates to)
The controller (who decides what to do with the data)
The processor (who processes the data)
A university can be a controller or processor, when, for example, it involves Human Resources data of EU-based students. This applies to data about a student at an EU-based satellite campus, which the U does not currently have. It gets a little more complicated relative to less formal communication channels like email. Take, for example, a coach who is looking at a prospective athlete in Europe. Strictly speaking, the emails between the two are considered personal data under the GDPR.
"We do reach out to people in the EU, whether that's prospective students, donors, or alumni who have relocated there," Matthes said.
Matthes invites you to read the GDPR Privacy Notice. It covers the following topics in greater detail:
- Does This GDPR Privacy Notice Apply to Me?
- What Personal Information Does the University Process?
- General Categories
- Special Categories
- Why the University Processes Your Personal Information
- How Does the University Receive Your Personal Information?
- Who Processed Your Personal Information?
- How Long Does the University Keep Your Personal Information?
- What Are Your Rights as a Data Subject?
- How to Exercise Your Rights
- How Does the University Respond to Requests for Personal Information?
- Existence of Automated Individual Decision-Making
- Transfer of Personal Information Outside the EEA
- How Do I Contact the University, the Data Controller?
- Full GDPR (English version)
- Updates to GDPR Privacy Notice
If you have additional questions or concerns related to GDPR, please email firstname.lastname@example.org.