- Members & Contact Information
- The Regulation
- GDPR Scope
- GDPR Compliance Requirements
- Compliance Questionnaire
- Additional information
IU GDPR Working Group
3. The Regulation
The General Data Protection Regulation (GDPR) is a new far-reaching European Union (“EU”) data privacy regulation that will go into effect on May 24, 2018. The GDPR greatly expands the territorial scope, enforcement uniformity, and umbrella of data covered by the previous EU Data Protection Directive.
4. GDPR Scope
This Regulation may have implications for your unit if your unit collects, processes, or stores (or uses a third party to collect, process, or store) personal data1 from individuals in2 the European Union. The GDPR defines "personal data" very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
The GDPR concerns the personal data of individuals in the European Economic Area, which includes EU countries as well as Iceland, Norway, and Lichtenstein. So when we say the EU, we mean all of the above countries.
5. GDPR Compliance Requirements
The GDPR imposes significant new requirements on organizations (even those operating solely outside of the EU) that collect, process, or store personal data of individuals present in the EU, whether or not EU citizens or residents. For example, the GDPR generally requires that organizations allow individuals access to their personal data and keep detailed records of how such personal data is processed. In the event of a GDPR violation, the Regulation gives EU authorities the ability to levy steep fines3. Please note that the GDPR will most likely not apply to data of EU citizens collected while they reside in the United States. For more information, please see this detailed article.
6. Compliance Questionnaire
In November of 2017, the GDPR Working Group distributed a questionnaire, designed to assess the ways in which units currently handle EU personal data, to approximately 111 recipients in various units. These individuals were chosen based on the IT-28 contact list maintained by UISO. The GDPR Working Group understands that individually these contacts may not have all of the requisite knowledge to respond to our assessment; however, they were our best guess as to who might be able to coordinate full responses with those in the units knowledgeable about each unit’s EU personal data collection, processing, and storage efforts. Below are some quick-links to the questionnaires:
- Initial questionnaire (1-4 questions depending on the answer to the first question)
- Follow-up questionnaire (11 questions in-depth questions) | You can preview the follow-up questions to facilitate discussion among those in your unit that may be able to provide insight into the subject matter prior to submission.
If your unit has not already completed and submitted the initial questionnaire (and, if applicable, the follow-up questionnaire), we implore you to do so. The more the Indiana University GDPR Working Group knows about each unit’s individual needs, the better able we will be to assist you with GDPR compliance before the Regulation goes into effect in May.
7. Additional Information
- EU GDPR text
- Privacy Notice Generator
- IU Policy ISPP-24: "Web Site, Web Applicaton, and Web Services Privacy Notices"
- Model Contracts: Model Contracts may need to be incorporated into data purchasing / licensing / service agreements.
- GDPR Portal | FAQs
- EU Data Protection Supervisor
- List of EU Data Protection Authorities
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- The word "in" is used broadly in this instance. The GDPR applies to the personal data of data subjects regardless of whether they are citizens or residents of the EU. (See Chapter 1, Article 3 of the GDPR for more information on "Territorial Scope".)
- Non-compliance may be subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.