General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation, or GDPR, requires a baseline set of standards for organizations that process personal information. GDPR safeguards the processing and movement of personal information for individuals residing in the European Union.
GDPR formally takes effect May 25, 2018 and affects organizations worldwide, including universities. GDPR:
- Replaces the Data Protection Directive as the primary law regulating how companies and organization protect the personal information of European Union (EU) residents
- Expands personal privacy rights for EU residents and also affects non-EU citizens located in an EU member state
- Mandates a baseline set of standards for organizations handling certain types of personal information of individuals located in the EU. This better safeguards the processing and movement of that information
- Applies to institutions with no physical EU presence if they control or process covered information. This means that even if a person is not an EU citizen, if they are located in the EU, GDPR standards protect them and apply to the institution processing their information
- Strengthens the consent process
- Enforces penalties
The “Right to be Forgotten” is not universal. It only applies to EU residents and non-EU citizens living in an EU member state.
Units that collect personal information do not need consent for all collection and use. Contractural obligations and legitimate business interests do not require consent under GDPR.
How will Penn State’s Privacy and Compliance team meet GDPR requirements?
Penn State continues to take steps to meet GDPR compliance as we approach the May 25, 2018 effective date. Some of these steps include:
- Developing a risk-based GDPR compliance strategy
- Prioritizing GDPR requirements and working to implement them. Priorities include:
- Data inventory (data collection and use/purpose of collection)
- Updated consent process
- Mechanism for requesting the “Right to be Forgotten”
- Distribution of GDPR guidance and templates
- Distribution of Privacy Impact Assessment (PIA)
- Approval of “Penn State Privacy Principles”
- GDPR educational resources and training
What do I need to do for GDPR compliance?
Unless the Privacy and Compliance team has met with you, you do not need to do anything immediately. However, your unit may begin to document any data elements you collect and why you collect them. Learn more about data inventory here. As we continue to complete “behind the scenes” work, it will take some time to understand and determine the implications of GDPR requirements and how best to meet them.
If you have additional questions pertaining to GDPR, please contact firstname.lastname@example.org
Members of the Penn State community can elect to receive automated communication pertaining to Penn State’s GDPR compliance program initiatives and updates. To request this service, please email email@example.com