Office of Information Security
General Data Protection Regulation (GDPR)
The General Data Protection Regulation, or GDPR, requires a baseline set of standards for organizations that process personal information. GDPR safeguards the processing and movement of personal information for individuals residing in the European Union.
GDPR formally took effect on May 25, 2018. It affects organizations worldwide, including universities. GDPR:
- Replaces the Data Protection Directive as the primary law regulating how companies and organizations protect the personal information of European Union (EU) residents
- Expands personal privacy rights for EU residents and also affects non-EU citizens located in an EU member state
- Mandates a baseline set of standards for organizations handling certain types of personal information of individuals located in the EU. This better safeguards the processing and movement of that information
- Applies to institutions with no physical EU presence if they control or process covered information. This means that even if a person is not an EU citizen, if they are located in the EU, GDPR standards protect them and apply to the institution processing their information
- Strengthens the consent process
- Enforces penalties
The “Right to be Forgotten” is not universal. It only applies to EU residents and non-EU citizens living in an EU member state.
Units that collect personal information do not need consent for all collection and use. Contractual obligations and legitimate business interests do not require consent under GDPR.
What initiatives and processes have Penn State’s Privacy and Compliance team put in place to meet GDPR requirements?
Penn State has put new processes and initiatives in place to meet GDPR requirements. These initiatives and processes include:
- Developed a risk-based GDPR compliance program
- Collected data inventories (data collection and use/purpose of collection)
- Updated consent process, as appropriate
- Transparency for student data collection and use in LionPATH
- Mechanism for requesting the “Right to be Forgotten”/”Right of Erasure” or “Right to Access”
- GDPR Statement of Requirements for Research
- Development of a Privacy Impact Assessment (PIA) Program
University-wide adoption of “Penn State Privacy Principles”
WHAT DO I NEED TO DO FOR GDPR COMPLIANCE?
Unless the Privacy and Compliance team has met with you, you do not need to do anything currently. However, your unit may begin to document any data elements you collect and why you collect them.
Members of the Penn State community can elect to receive automated communication pertaining to Penn State’s GDPR compliance program initiatives and updates. To request this service, please email firstname.lastname@example.org.
If you have additional questions pertaining to GDPR, please contact email@example.com.
WHAT IS DATA INVENTORY?
A data inventory is a compiled spreadsheet that logs the types of data you collect on individuals, where the data is located within Penn State, and the business purpose of such data.
WHY DOES PENN STATE NEED DATA INVENTORY NOW?
Penn State must comply with the General Data Protection Regulation (GDPR), an EU regulation on data protection and privacy.
WHY DOES HAVING A DATA INVENTORY MATTER?
A data inventory:
- Identifies information that must be tracked and safeguarded under the requirements of various laws, regulations, professional standards, or Penn State Policies and Standards (HIPAA, GLBA, NIST, AD95, etc.);
- Establishes compliance with applicable regulations, standards, and policies;
- Simplifies responses to e-discovery requests; and
- Accelerates breach incident investigation and containment.
WHAT SHOULD I INCLUDE IN MY DATA INVENTORY?
Each unit must provide a data inventory that includes the following:
- The type of data (biographical data, health data, etc.)
- The business purpose for the data (why does Penn State have this data?)