The European Union's General Data Protection Regulation (EU-GDPR) is a data privacy and security regulation designed to shield EU residents (as well as residents from any EEA nations) from the impact of data breaches and improper use of data. It replaces previous EU data privacy and security regulations and is much broader in scope and presents a greatly expanded definition of personal data than used in US regulations. Oregon State University is subject to this regulation. As a result, we’re obligated to implement appropriate technical and organizational controls in an effective way to protect and observe “Data Subject Rights” for individuals with permanent or temporary residency within EU nations.
The EU-GDPR goes into effect May 25, 2018.
A: The regulation is provided to protect individuals when they are residing in the EU/EAA. If we're conducting our business (which is research and education) there, either in person or over the web, it applies to us. So if someone from Rome applies for a position as a professor in the Anthropology Department, or a Music major does a study abroad term in Salzburg, any data we've collected from them in those locations falls under the regulation.
US Law does take precedence, and we're obligated (and allowed by the regulation) to follow it. But that doesn't dismiss any remaining obligations that fall under the regulations. Our only other option would be to not conduct any of our research or educational activities in those locations, which, if you think about it, doesn't fit very well with our mission.
A: All personal data that is stored or processed in the EU by OSU, or OSU's agents or contractors. This includes the personal data of students, faculty, staff, and other members of the OSU community, such as visiting scholars, alumni, applicants, and web site visitors, who are:
What is included in their definition of personal data? The regulation defines personal data as "any information related to an identified or identifiable natural person." This includes both direct, as in a name, or indirect, as in "the student from Aberdeen enrolled in my geography class." It includes things like identification numbers, an IP address or cookie string. It is extremely broad.
A: In Fall 2017, an EU-GDPR working group was formed to evaluate the impact of the regulation and to make recommendations to the Compliance Executive Committee. The working group determined that six areas are most impacted by the regulation, and initially concentrated their efforts there. Those six areas are Study Abroad, International Faculty and Scholars, International Students, Alumni and Foundation activities, Web Services, and Research (in particular, human subject research.) The working group conducted initial data protection impact assessments on those areas; the assessments identified the following actions were required by the implementation date:
Efforts will not stop there and need to be on-going past the implementation date. This will involve continued monitoring of EU-GDPR guidance and enforcement action, identification and notification of covered activities to the DPO, and continued contract work for lower-volume services.
A: Well, if nothing bad happens, then we’re likely to not be noticed. But the penalties are too great for us to take that chance: Organizations in breach of EU-GDPR can be fined up to 4% of annual global turnover or €20 million (approx. $24m) – whichever is greater—for serious infringements. There is a tiered approach to fines (for example, a fine of 2% of annual global turnover for each of the following violations, up to 4% total: not having records in order, not notifying the supervising authority of a data breach, or not conducting an impact assessment). The law also allows for individual EU nations to enact criminal laws for violation of EU-GDPR.
A: Not necessarily. If you’re only logging visits to your website to aid in the diagnosis of performance problems, or because the Office of Information Security requires you log visits for compliance reasons, you should be fine without. But if you’re doing anything that remotely resembles targeted marketing or behavior monitoring, such as tracking clicks from links in targeted emails, targeting content based on previous visits, changing language or currency collected based on IP geolocation, you fall directly under the regulation. If that’s the case, please contact us for more information.
A: You need to make sure that the Human Research Protection Program is aware of this (include it in your IRB application materials) and contact the Data Protection Officer (DPO). The DPO will arrange for a security review to ensure that the data is protected appropriately. You’ll also to be aware that the consent process will be different, and additional elements will be required in the form. For more information about conducting human subjects research in the EU, click here.
A: That activity would be covered under the regulation, since you’re tracking behaviors tied to an individual. That doesn’t mean you can’t (or shouldn’t) do it—that’s a business decision for your college and university leadership to discuss. You could decide that you’re only going to do that for US residents, or simply not target EU residents with this marketing. But if you need to include them, then we should discuss how that data is collected and stored, develop the appropriate consent forms for the collection, and establish a process to allow EU residents to “be forgotten.” Contact us for more information.
A: Per the regulation, EU residents have the right to know whether or not personal data concerning them is being processed, where and for what purpose. Upon request, OSU will be required to provide a copy of the personal data, free of charge, in electronic format. They also have the right to be forgotten: EU residents have the right to request that their data erased but we are allowed to consider “public interest in availability of data” when considering such requests.
A: No, of course not. We’re being a little silly here to make a point, but it gives a good example of the regulation’s allowance for legal uses of the data. We have a legal obligation to collect and retain that data, or, in the wording of the regulation, “the exercise of official authority.”
While they may not be as simple as this one, you may run into circumstances where you need to know if the regulation applies. If that happens, we’d encourage you to contact us for more information.
A: In effect, it applies to both. In the majority of cases where OSU is dealing with a third party with access to data, we are acting as the data controller, and the third party is acting as a data processor. Both are obligated to protect the data, but the main obligation is on the data controller (OSU). If you are aware of any of these relationships, we may need to review or amend any contract language. Please contact us.
A: There is no distinction between a credit or a non-credit student. The question is whether OSU is offering goods and services to EU residents. Once a student is enrolled, we have an obligation to retain that data.
A: Perhaps. If you have the demographics, and if that could be used to derive insights on the identity of an individual (even things as simple as an IP address, or a street address, etc.) then yes, it would apply. If the data is “rendered anonymous in such a way that the data subject is not or no longer identifiable” or the data is processed, “in a way that the data can no longer be attributed to a specific data subject without the use of additional information” (and that additional information is stored separately), then the regulation broadly allows for the use of that data. Just bear in mind that there may be situations that would be anonymous in some circumstances, but not another (in particular, this can be a problem when dealing with rural populations).
A: The regulation requires public institutions to appoint a Data Privacy Officer, or DPO. The DPO should be contacted in these instances.
Our process is unchanged—the Chief Information Security Officer (CISO) investigates data exposures/potential breaches and works with the Office of General Counsel to ensure that we are notifying appropriately. The Data Protection Officer will report this to the appropriate EU authorities.