General Data Protection Regulation (GDPR)


GDPR Logo
General Data Protection Regulation (GDPR)

GDPR Overview

The General Data Protection Regulation is a privacy law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or services offered in the EU, or that involves the monitoring of individuals in the EU.


So, how does this affect us at UWF?

Although, this is an EU regulation it has significant potential to impact U.S. systems. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g., international students), (2) human resources data (e.g., staff or faculty living or working overseas), and (3) marketing data (e.g., data collected from a potential student living in the EU who is interested in UWF).


Key Principles of GDPR

The GDPR establishes seven key principles:

Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly and in a transparent manner

Purpose Limitation

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data Minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Accuracy

Personal data must be accurate and, where necessary, kept up to date

Storage Limitation

Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed

Integrity and Confidentiality

Personal data must be processed in a manner that ensures appropriate security of the personal data

Accountability

Controllers (see Important Terms) are responsible for, and must be able to demonstrate compliance with the GDPR principles


GDPR Terminology

The following terms are essential components of the regulation

Personal Data

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Processing

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Consent

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Controller/ Data Controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data


Your Rights as a Data Subject

At any point, while UWF is in possession of, or processing your personal data, you, the Data Subject, have the following rights:

Right of Access

As the Data Subject, you have the right to request a copy of the information that we hold about you.

Right of Rectification

As the Data Subject, you have the right to correct data that we hold about you that is inaccurate or incomplete.

Right to be Forgotten

As the Data Subject, there are certain circumstances in which you can ask for the data we hold about you to be erased from our records. 

Right to Restriction of Processing

Where certain conditions apply, you have the right to restrict the processing of your personal data.

Right of Portability

As the Data Subject, you have the righttohave the data we hold on you transferred to another organization.

Right to Object

As the Data Subject, you have the right to object to certain types of processing such as direct marketing. 

Right to Object to Automated Processing, Including Profiling

As the Data Subject, you have the righttobe subject to the legal effects of automated processing or profiling.

Right to Judicial Review

In the event that the University of West Florida refuses yourrequest under any of the "rights of a data subject," we will provide you with a reason why. 


UWF GDPR Privacy Notice

The following site contains the standard UWF GDPR Privacy Notice. Please keep in mind that many departments have posted thier own, unit-specific notices. 

https://uwf.edu/go/legal-and-consumer-info/eu-gdpr-privacy-notice/

 


 

FAQs

Answers to Frequently Asked Questions (FAQs)

What rules govern data collection under GDPR?
  • Any collection of personal data must have a clearly defined purpose, which is prominently publicized, and the data cannot be used for any other purpose
  • Do not collect any more data than absolutely necessary
  • Consumers must be informed when personal data is being collected
  • Personal data is kept for only as long as necessary
  • Delete data where it is no longer necessary
  • Effectively secure all personal data being collected
  • Maintain documentation on your data processing activities
  • Ensure all sub-contractors and vendors adhere to GDPR rules
Who does GDPR impact?

Any department, office, system, and/ or function that collects, uses, or stores information in or from the EU or relating to individuals in the EU, fall under the scope of the regulation and may be impacted.

What actions should I be taking to comply with GDPR?

First and foremost, you need to determine how exposed your area or function is to GDPR. In order to get the ball rolling, you should start by reflecting on the following questions and statements:

  • Conduct an analysis of how your department/ office/ function/ research interacts with the EU.
    • Is there any personal data involved?
    • Do you monitor individuals in any way?
    • Are there any financial transactions with individuals in the EU?
    • What is your legal basis for collecting information?
    • Do your procedures need to be updated?
  • What are the ways someone in the EU could access you?
    • What are the touchpoints?
  • Think about our vendors, services, and internal and external websites that are used to reach into the EU.
  • Review your contracts.
  • Ask vendors and 3rd parties if they are GDPR compliant (or how they plan to become compliant)
What are the penalties for not complying?

The penalty for violations can range anywhere from a warning, a fine of 20 million Euros, or up to 4% of UWF's annual revenue.

What is Profiling?

GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in  particular to analyze or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location or movements”.

Who are the EU member states?
  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxemberg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom



Possible Impact and Solutions

The following table describes how certain areas might be impacted by GDPR and provides possible GDPR solutions. Please take note that these "solutions" do not represent legal guidance. This resource and web page and are only meant to inform and should be seen as tools to help aid in your understanding of the regulation.

GDPR Possible Impacts and Solutions
Business Process & Potential ImpactPossible Solutions (suggestions to be discussed internally)

Research/ Technology Transfer:

     • Collaborations and agreements with EU professors or universities that involve collecting or sharing personal information
     • Studies on EU individuals that involve personal information
     • Human subject research that involves personal information collected in the EU

     • Additional grant/contract clauses, expanded consent documents, specific consideration in IRB review
     • Internal process to handle withdrawn consent
     • Limit receipt of identifiable data

Note that de-identified data is not GDPR, but if it can be re-identified (i.e., there is a key) then it is GDPR

Faculty, Staff, and Students in or from the EU/ Human Resources:

     •Correspondence containing personal information with individuals in the EU, or faculty/ staff/ students that will reside in the EU
     •Exchanging salary or tax information
     •Conducting background checks on individuals in the EU

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data

Admissions, Financial Aid, Registrar, Online Education:

     •Correspondence containing student personal information, transcripts or financial information being sent from EU students or parents
     •Program Application monitoring

•Notification, signed consents, specific coverage of GDPR in University policy
•Coordination with third party vendors who process data
•General GDPR notice in the General Announcements

Study Abroad (including exchange programs and students doing research in EU):

     •Correspondence containing student personal information regarding individuals who are on programs in the EU
     •SOS Insurance

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data
     •General GDPR notice in the General Announcements

Title IX/ Clery:

     •Tracking and reporting incidents in the EU (particularly where one party is not a student)

     •Signed consent where possible. Notification, signed consents, specific coverage of GDPR in University policy
     •Document approach to potential conflicts up front
     •General GDPR notice in the General Announcements

University Advancement/ Development/ Alumni:

     •Collecting, storing, and sharing personal and financial information in or from the EU, or relating to individuals in the EU

     •Signed consent where practical, internal process to respond to requests. GDPR in privacy policy
     •Coordination with third party vendors who process data

Risk Management:

     •Sharing and receiving personal information, including with International SOS

     •Signed consent, privacy notices. Coordination with third party vendors who process data

International Students:

     •Discussions with students or parents who are in the EU regarding personal information or visa information

     •Notification, signed consents, specific coverage of GDPR in University policy
     •Coordination with third party vendors who process data
     •General GDPR notice in the General Announcements

Institutional Communications:

     •Publicly available stories or pictures of faculty, staff or students in the EU

     •Consent when practical
     •Internal process to review and respond to take down requests

Information Technology:

     •Designated individual as POC for GDPR.
     •Data loss/ breach may require notice to individual within 72 hours

     •Specific scan/procedure for EU individuals following breach
     •Internal process to review and respond to take down requests

 


Additional GDPR Resources

The following are resources that should help provide you with a better understanding of the regulation; specifically, how it relates to U.S. institutes of higher education.