General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation, or GDPR, requires a baseline set of standards for organizations that process personal information. GDPR safeguards the processing and movement of personal information for individuals residing in the European Union.
GDPR formally took effect on May 25, 2018. It affects organizations worldwide, including universities. GDPR:
- Replaces the Data Protection Directive as the primary law regulating how companies and organization protect the personal information of European Union (EU) residents
- Expands personal privacy rights for EU residents and also affects non-EU citizens located in an EU member state
- Mandates a baseline set of standards for organizations handling certain types of personal information of individuals located in the EU. This better safeguards the processing and movement of that information
- Applies to institutions with no physical EU presence if they control or process covered information. This means that even if a person is not an EU citizen, if they are located in the EU, GDPR standards protect them and apply to the institution processing their information
- Strengthens the consent process
- Enforces penalties
The “Right to be Forgotten” is not universal. It only applies to EU residents and non-EU citizens living in an EU member state.
Units that collect personal information do not need consent for all collection and use. Contractual obligations and legitimate business interests do not require consent under GDPR.
What initiatives and processes have Penn State’s Privacy and Compliance team put in place to meet GDPR requirements?
Penn State has new put processes and initiatives in place to meet GDPR requirements. These initiatives and processes include:
- Developed a risk-based GDPR compliance program
- Collected data inventories (data collection and use/purpose of collection)
- Updated consent process, as appropriate
- Transparency for student data collection and use in LionPath
- Mechanism for requesting the “Right to be Forgotten”/”Right of Erasure” or “Right to Access”
- GDPR Statement of Requirements for Research
- Development of a Privacy Impact Assessment (PIA) Program
- University-wide adoption of “Penn State Privacy Principles“
- GDPR educational resources and training – COMING SOON
What do I need to do for GDPR compliance?
Unless the Privacy and Compliance team has met with you, you do not need to do anything currently. However, your unit may begin to document any data elements you collect and why you collect them. Learn more about data inventory here.
Members of the Penn State community can elect to receive automated communication pertaining to Penn State’s GDPR compliance program initiatives and updates. To request this service, please email email@example.com
If you have additional questions pertaining to GDPR, please contact firstname.lastname@example.org