INFORMATION TECHNOLOGY

GDPR Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (GDPR), effective on May 25, 2018, represents a significant change in data privacy regulation. It replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, provide rights to European Union (EU) citizens regarding data privacy, and reshape the way organizations across the region approach data privacy.  Specifically, it does two things: (1) it explicitly confers numerous rights regarding data privacy upon persons located in the European Union (EU), and (2) it requires covered organizations to put significant safeguards in place regarding the use and processing of personal data of EU residents

 How Do We Know If Our “Organization” Is Subject to the Requirements of GDPR?

The GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Whose data does the GDPR protect?

 The GDPR covers personal information of all-natural persons—that is, people, but not legal entities like corporations or nonprofits—physically within the EU ("EU data subjects"). The GDPR makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data.

What constitutes personal data?

 Personal data in the context of GDPR means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to, among other things, an identifier such as a name, an identification number, location data, or an online identifier. Examples of personal data include, but are not limited to, name and surname, home address, a photograph, email address (such as name.surname@company.com), identification card numbers, personal phone numbers, location data (for example, the location data function on a mobile phone), Internet Protocol (IP) addresses, cookie IDs, the advertising identifier of a phone, data held by a hospital or doctor that uniquely identifies a person (for example, a unique patient number), and the content of exam papers.

 What about Data Subjects under the age of 16?

Parental consent is required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

 What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

 Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?

The conditions for consent have been strengthened, as companies are no longer able to utilize long illegible terms and conditions full of legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​  Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

 How does GDPR affect marketing strategies?

Data plays a critical part in both digital and direct marketing strategies and therefore marketers must ensure they have demonstrated clear compliance and consent. CMOs and marketers must demonstrate how the data subject has consented to the processing of their personal data. Marketing databases have to be cleansed and reviewed to ensure that the organization can identify consent which has been granted lawfully and fairly. Although GDPR only affects citizens living in the European Union, it is recommended that companies that operate internationally ensure all of their global audience is GDPR compliant to meet stringent data regulations in the future.

 What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements (e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts). There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.

What does GDPR mean to the University of Toledo?

The University of Toledo is developing a GDPR compliance program [insert hyperlink to our GDPR page] to assist in analyzing and complying with the requirements of GDPR. The University Data Protection Officer created a working group. The GDPR team is working to develop a risk-based GDPR compliance strategy and develop recommendations for an ongoing, sustainable GDPR compliance program.

It will take a few years for a more precise understanding of how GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. The University of Toledo will be paying close attention to the evolution of the law's compliance requirements over the coming years and will respond as needed.

Why does GDPR apply to the University of Toledo?

GDPR may apply to certain personal data collected by the University of Toledo because, in certain limited circumstances, we engage in business activities that collect or process the personal data of individuals residing in the EU.

What are examples of where GDPR applies and does not apply at UT?

Examples of when the GDPR may apply at UT:

    • A cohort of non-EU students is participating in a semester-long study abroad in one of the countries in the EU, and/or Iceland, Liechtenstein and Norway.
    • Students from the EU enrolled in online courses and/or programs offered by UT.
    • Office of Development is engaged in a fundraising campaign and is collecting donor information from alumni residing in the EU.
    • A research consortium in the EU provides the University of Toledo with the personal data of EU citizens for research analysis.

Examples of when the GDPR does not apply at UT:

    • Expatriate research group formed on campus, that is, groups at the university made up of EU citizens who are students at UT.
    • EU faculty are recruited at an academic conference held in Orlando, Florida. In contrast, GDPR would apply if these faculty members were recruited at a conference in Barcelona, Spain.
    • When researcher’s collection of data is truly anonymous – that is, the information collected cannot be tied to an identified or identifiable individual – then the data collected will not be considered personal data and will not be covered by the GDPR.

How does the University of Toledo plan to comply with GDPR?

 We are in the process of identifying and assessing data flows that may be impacted by GDPR and developing a risk-based GDPR compliance strategy in support of GDPR requirements. We will begin implementing prioritized GDPR requirements, develop recommendations for a sustainable GDPR compliance program, and make GDPR compliance resources available to the University community as they become available.

 What do I need to do now to prepare for the new GDPR requirements?

Stay tuned. You do not need to do anything immediately. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements and how these requirements impact public higher education institutions. Watch for more information as the university's GDPR working group goes about its work. If you have immediate questions or concerns, please contact GDPRinfo@utoledo.edu   

 RESOURCES

https://eugdpr.org/the-regulation/gdpr-faqs/;

https://www.safecomputing.umich.edu/protect-the-u/safely-use-sensitive-data/general-data-protection-regulation-compliance/faq

https://www.cupahr.org/data-privacy-gdpr/; What Higher Ed HR Professionals Need to Know About New Data Privacy Rules in the European Union by CUPA-HR | March 26, 2018 This blog post was contributed by Joanna Lyn Grama, director of cybersecurity and IT governance, risk and compliance program at EDUCAUSE. 

https://www.ucop.edu/ethics-compliance-audit-services/_files/compliance/privacy/GDPR.pdf 

The New EU General Data Protection Regulation: What You Need to Know About It and Why
Responses to Unanswered Questions, NACUA Webinar, October 24, 2017, Borio, Cohen, & Quick (p.4)]

Last Updated: 8/29/19