General Data Protection Regulation (GDPR)
GDPR Overview
The General Data Protection Regulation is a privacy law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or services offered in the EU, or that involves the monitoring of individuals in the EU.
So, how does this affect us at UWF?
Although, this is an EU regulation it has significant potential to impact U.S. systems. There are three major categories of data that are most likely to be affected. These are; (1) data collected on students from the EU (e.g., international students), (2) human resources data (e.g., staff or faculty living or working overseas), and (3) marketing data (e.g., data collected from a potential student living in the EU who is interested in UWF).
Key Principles of GDPR
The GDPR establishes seven key principles:
Personal data must be processed lawfully, fairly and in a transparent manner
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Personal data must be accurate and, where necessary, kept up to date
Personal data must be kept in a form which permits identification of data subjects no longer than is necessary for the purposes for which the personal data was processed
Personal data must be processed in a manner that ensures appropriate security of the personal data
Controllers (see Important Terms) are responsible for, and must be able to demonstrate compliance with the GDPR principles
GDPR Terminology
The following terms are essential components of the regulation
Personal Data
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Controller/ Data Controller
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Your Rights as a Data Subject
At any point, while UWF is in possession of, or processing your personal data, you, the Data Subject, have the following rights:
Right of Access
As the Data Subject, you have the right to request a copy of the information that we hold about you.
Right of Rectification
As the Data Subject, you have the right to correct data that we hold about you that is inaccurate or incomplete.
Right to be Forgotten
As the Data Subject, there are certain circumstances in which you can ask for the data we hold about you to be erased from our records.
Right to Restriction of Processing
Where certain conditions apply, you have the right to restrict the processing of your personal data.
Right of Portability
As the Data Subject, you have the right to have the data we hold on you transferred to another organization.
Right to Object
As the Data Subject, you have the right to object to certain types of processing such as direct marketing.
Right to Object to Automated Processing, Including Profiling
As the Data Subject, you have the right to be subject to the legal effects of automated processing or profiling.
Right to Judicial Review
In the event that the University of West Florida refuses your request under any of the "rights of a data subject," we will provide you with a reason why.
UWF GDPR Privacy Notice
The European Union General Data Protection Regulation Privacy Notice page contains the standard UWF GDPR Privacy Notice. Please keep in mind that many departments have posted their own, unit-specific notices.
FAQs
Answers to Frequently Asked Questions (FAQs)
- Any collection of personal data must have a clearly defined purpose, which is prominently publicized, and the data cannot be used for any other purpose
- Do not collect any more data than absolutely necessary
- Consumers must be informed when personal data is being collected
- Personal data is kept for only as long as necessary
- Delete data where it is no longer necessary
- Effectively secure all personal data being collected
- Maintain documentation on your data processing activities
- Ensure all sub-contractors and vendors adhere to GDPR rules
Any department, office, system, and/ or function that collects, uses, or stores information in or from the EU or relating to individuals in the EU, fall under the scope of the regulation and may be impacted.
First and foremost, you need to determine how exposed your area or function is to GDPR. In order to get the ball rolling, you should start by reflecting on the following questions and statements:
- Conduct an analysis of how your department/ office/ function/ research interacts with the EU.
- Is there any personal data involved?
- Do you monitor individuals in any way?
- Are there any financial transactions with individuals in the EU?
- What is your legal basis for collecting information?
- Do your procedures need to be updated?
- What are the ways someone in the EU could access you?
- What are the touchpoints?
- Think about our vendors, services, and internal and external websites that are used to reach into the EU.
- Review your contracts.
- Ask vendors and 3rd parties if they are GDPR compliant (or how they plan to become compliant)
The penalty for violations can range anywhere from a warning, a fine of 20 million Euros, or up to 4% of UWF's annual revenue.
GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behavior, location or movements”.
Possible Impact and Solutions
The following table describes how certain areas might be impacted by GDPR and provides possible GDPR solutions. Please take note that these "solutions" do not represent legal guidance. This resource and web page and are only meant to inform and should be seen as tools to help aid in your understanding of the regulation.
Business Process & Potential Impact | Possible Solutions (suggestions to be discussed internally) |
---|---|
Research / Technology Transfer:
|
|
Faculty, Staff, and Students in or from the EU / Human Resources:
|
|
Admissions, Financial Aid, Registrar, Online Education:
|
|
Study Abroad (including exchange programs and students doing research in EU):
|
|
Title IX / Clery:
|
|
University Advancement / Development / Alumni:
|
|
Risk Management:
|
|
International Students:
|
|
Information Technology:
|
|
University Marketing and Communications:
|
|
Additional GDPR Resources
The following are resources that should help provide you with a better understanding of the regulation; specifically, how it relates to U.S. institutes of higher education.