The General Data Protection Regulation is a privacy law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or services offered in the EU, or that involves the monitoring of individuals in the EU.
How does this affect us at FGCU?
Although this is an EU regulation, it has significant potential to impact U.S. systems. Three major categories of data are most likely to be affected: data collected on students from the EU (e.g., international students), human resources data (e.g., data collected from or on staff or faculty living or working in the EU) and marketing data (e.g., data collected from a potential student living in the EU who is interested in FGCU).
This overview provides guidance identifying business solutions where GDPR may apply. Please consult the Office of Institutional Equity and Compliance or the Office of General Counsel for further information and direction in applying GDPR.
Key Principles of GDPR
The following terms are essential components of the regulation
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer
A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business will need to appoint a data protection officer – you need to do so if:
- Your organization is a public authority; or
- You carry out large-scale systematic monitoring of individuals (for example, online behavior tracking); or
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Unlike the DPA, the GDPR introduces specific responsibilities for the Data Processor. These are third parties that process data on behalf of the Data Controller and includes IT service providers.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Right to be Forgotten
The right to erasure of personal data or ‘the right to be forgotten' enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.
Frequently Asked Questions
Additional GDPR Resources
The following are resources that should help provide you with a better understanding of the regulation; specifically, how it relates to U.S. institutes of higher education.
- Official EU GDPR Site
- EDUCAUSE Resources
- EU GDPR Informational Site
- EAB GDPR Article
- AACRAO - Comparing GDPR and FERPA
- Inside Higher Ed Article