- Members & Contact Information
- The Regulation
- GDPR Scope
- GDPR Compliance Requirements
- Compliance Questionnaire
- GDPR starter-kit (Templates)
- Additional information
IU GDPR Working Group
3. The Regulation
The European Union’s General Data Protection Regulation (GDPR) went into effect May 25, 2018. This law imposes strict data protection rules on organizations in an effort to protect the privacy of individuals in the EU. The GDPR has been receiving significant news coverage, including in the US mainstream media, and has prompted numerous questions from the university community about what Indiana University is doing in response. We have provided some information below on the GDPR and IU’s strategy.
4. GDPR Scope
This Regulation may have implications for your unit if your unit collects, processes, or stores (or uses a third party to collect, process, or store) personal data1 from individuals in2 the European Union. The GDPR defines "personal data" very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
The GDPR concerns the personal data of individuals in the European Economic Area, which includes EU countries as well as Iceland, Norway, and Lichtenstein. So when we say the EU, we mean all of the above countries.
To what extent is IU subject to the GDPR?
- The GDPR indicates that it applies to organizations based outside of the EU “where the [data] processing activities are related to:
- the offering of goods or services, irrespective of whether a payment to the data subject is required, to such data subjects in the [European] Union; or
- the monitoring of their behavior as far as their behavior takes place within the [European] Union”
- European authorities have provided little guidance on how these standards will be applied to organizations, such as US higher education institutions, based outside the EU; however, the GDPR does make clear that the mere fact that an organization’s website is accessible in the EU and can collect personal data from EU residents does not mean that the organization must comply with the GDPR.
- To be subject to the GDPR, the organization must show an intention to offer goods or services specifically to EU residents, such as by mentioning customers in the EU on its website, selling goods in Euros, or providing content in an EU-specific language.
- It is clear to us that the GDPR will impact certain IU activities where we are targeting individuals in the EU or monitoring their behavior (e.g., where an IU research project involves collecting personal data from EU residents); however, at least until we understand more clearly how the GDPR will be applied to organizations outside the EU, we are taking the position that most IU activities are not within the scope of the GDPR.
- As an example, at this time we do not plan to treat the data of EU citizens enrolling at IU as subject to the GDPR because IU will be providing those students with services almost exclusively in the US.
What are examples of some IU activities which might be within the scope of the GDPR?
- Undergraduate and graduate recruitment targeted towards EU residents
- Research involving the collection of personal data from EU residents
- Dual or joint degree programs with European institutions
- The use of CRM products to target or track EU residents
- Online degrees, programs, and other services tailored to EU residents
5. GDPR Compliance Requirements
The GDPR imposes significant new requirements on organizations (even those operating solely outside of the EU) that collect, process, or store personal data of individuals present in the EU, whether or not EU citizens or residents. For example, the GDPR generally requires that organizations allow individuals access to their personal data and keep detailed records of how such personal data is processed. In the event of a GDPR violation, the Regulation gives EU authorities the ability to levy steep fines3. Please note that the GDPR will most likely not apply to data of EU citizens collected while they reside in the United States. For more information, please see this detailed article.
Access the GDPR starter-kit (Templates)
6. Compliance Questionnaire
In Nov./Dec. of 2017, the IU GDPR Working Group distributed a questionnaire, designed to assess the ways in which units currently handle EU personal data, to approximately 111 recipients in various units. These individuals were chosen based on the IT-28 contact list maintained by UISO. The GDPR Working Group understands that individually these contacts may not have all of the requisite knowledge to respond to our assessment; however, they were selected to help coordinate full responses with those in the units knowledgeable about each unit’s EU personal data collection, processing, and storage efforts.
GDPR Questionnaire (last updated on or about 2017-12-15)
- The GDPR Questionnaire may take 10 minutes to a few hours to complete.
- You can preview the questions to facilitate discussion among those in your unit that may be able to provide insight into the subject matter prior to submission.
If your unit has not already completed and submitted the questionnaire, feel free to do so. We are taking a priority-based approach focused on the university's data processing activities that are most likely to be subject to the GDPR. The more the IU GDPR Working Group knows about each unit’s individual needs, the better able we will be to assist you with GDPR compliance. If you have questions, your unit may request a consultation with the IU GDPR Working Group.
7. GDPR starter-kit (Templates)
The following documents are merely template drafts and are not a one-size-fits-all GDPR compliance solution. Each use case may require significant customization (or completely alternative language). Please be sure to consult with the IU GDPR Working Group prior to implementing these.
- Privacy notice template (draft):
- Privacy Notice Generator (Not yet tailored to the GDPR)
- Data protection information notice template (draft):
- To be provided to data subjects at the time of (or prior to) data collection (when a web-based privacy notice is not applicable).
- Consent declaration template (draft)
- Data transfer agreement template with standard (model) contractual clauses (draft):
- Data transfer agreements may need to be incorporated into data purchasing / licensing / service agreements.
- This particular template is only applicable to transfers of data from an EU data controller to IU (when IU is also acting as a data controller). A different template may need to be implemented for situations in which IU is acting as a data processor, or when IU is transferring EU personal data to a third party.
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- The word "in" is used broadly in this instance. The GDPR applies to the personal data of data subjects regardless of whether they are citizens or residents of the EU. (See Chapter 1, Article 3 of the GDPR for more information on "Territorial Scope".)
- Non-compliance may be subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.