Information Technology Services
GDPR Position Statement and Policy
- The Regulation
The European Union’s General Data Protection Regulation (GDPR) went into effect 25 May 2018. This law imposes strict data protection rules on organizations in an effort to protect the privacy of individuals in the EU. The GDPR has been receiving significant news coverage, including in the US mainstream media, and has prompted numerous questions from the university community about what Aurora University is doing in response. Information concerning GDPR and AU’s strategy is provided below
- GDPR Scope
This Regulation may have implications for your operation if your business unit collects, processes, or stores (or uses a third party to collect, process, or store) personal data1 from individuals in2 the European Union. The GDPR defines “personal data” very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
The GDPR concerns the personal data of individuals in the European Economic Area, which includes EU countries as well as Iceland, Norway, and Lichtenstein. So use of the term EU refers to all of the above countries.
To what extent is AU subject to the GDPR?
- The GDPR indicates that it applies to organizations based outside of the EU “where the [data] processing activities are related to:
- the offering of goods or services, irrespective of whether a payment to the data subject is required, to such data subjects in the [European] Union; or
- the monitoring of their behavior as far as their behavior takes place within the [European] Union”
- European authorities have provided little guidance on how these standards will be applied to organizations, such as US higher education institutions, based outside the EU; however, the GDPR does make clear that the mere fact that an organization’s website is accessible in the EU and can collect personal data from EU residents does not mean that the organization must comply with the GDPR.
- To be subject to the GDPR, the organization must show an intention to offer goods or services specifically to EU residents, such as by mentioning customers in the EU on its website, selling goods in Euros, or providing content in an EU-specific language.
- It is clear that the GDPR would impact AU activities where individuals in the EU are targeted or AU monitors their behavior (e.g., where an AU research project involves collecting personal data from EU residents); however, at least until the EU offers greater clarity on how the GDPR will be applied to organizations outside the EU, we are taking the position that virtually all AU activities are not within the scope of the GDPR.
- As an example, at this time we do not plan to treat the data of EU citizens enrolling at AU as subject to the GDPR because AU did not target such students in the EU and will be providing those students with services almost exclusively in the US.
What are examples of some AU activities which might be within the scope of the GDPR?
- Undergraduate and graduate recruitment targeted towards EU residents
- Research involving the collection of personal data from EU residents
- Dual or joint degree programs with European institutions
- The use of CRM products to target or track EU residents
- GDPR Compliance Requirements
The GDPR imposes significant new requirements on organizations (even those operating solely outside of the EU) that collect, process, or store personal data of individuals present in the EU, whether or not EU citizens or residents. For example, the GDPR generally requires that organizations allow individuals access to their personal data and keep detailed records of how such personal data is processed. In the event of a GDPR violation, the Regulation gives EU authorities the ability to levy steep fines. Please note that the GDPR will most likely not apply to data of EU citizens collected while they reside in the United States. For more information, please see this detailed article.
- Additional Information
- EU GDPR text
- EDUCAUSE
- GDPR Portal | FAQs
- EU Commission:
- Data Protection
- Data Protection Authorities (DPAs) (for each EU Member State)
Footnotes
-
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
-
The word “in” is used broadly in this instance. The GDPR applies to the personal data of data subjects regardless of whether they are citizens or residents of the EU. (See Chapter 1, Article 3 of the GDPR for more information on “Territorial Scope”.)