A workgroup of individuals has met to determine the ways that GDPR requirements can be integrated with University processes. Specific areas that are being addressed are:
Be informed: If you work in or oversee a department that handles information about EU citizens or residents, be familiar with the regulation and its requirements. For immediate concerns, work with your campus Registrar, Human Resources, Research, and IT offices to determine what measures must be taken.
You do not need to take any action on your own. Consult with appropriate contacts noted above before taking any specific actions. It will take some time for a more precise understanding of how GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. Jubilee University will be paying close attention to the evolution of the law’s compliance requirements over the coming years and will respond as needed.
The GDPR protects personal data of data subjects located in the EU. GDPR applies to EU data subjects regardless of their citizenship or nationality. Much like an American in Paris would need to follow Paris traffic regulations, that same American’s personal data would be protected by the GDPR while in France. This is the concept of territoriality—GDPR protects all data subjects within EU borders.
Personal data are any information about an identified or identifiable data subject, which can include direct identifiers, such as name, address, email address, and national identification numbers, or indirect identifiers such as location data or IP address. This list of data elements is not exhaustive, and the definition of personal data under GDPR may be broad.
Organizations (regardless of where they are located) that offer goods or services to people in the EU or that collect data on people located in the EU also must follow GDPR.
For guidance dealing with these inquiries use the campus contacts as appropriate. Any further questions can be directed to the University Cabinet.
GDPR is a current hot-topic for vendors and the media to fill our phones and inboxes. For the most part these unsolicited messages should be ignored. If a vendor or third-party contacts you specific to an existing University agreement, refer the matter to the appropriate campus contact. If the media contacts you, follow your campus media policy and procedures.