What is GDPR?
The European General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, sets far-reaching rules that will impact businesses and higher education institutions here in the United States. Simply put, GDPR requires all entities that collect, store, or process personal data on any individual, who at the time of data collection resided in any of the member states of the European Union (EU), to comply with the data protection, access, destruction, and portability rules therein. GDPR also grants certain legal rights to those individuals who fall under GDPR protection and whose personal data is being collected and processed. Among other things, the EU GDPR requires Anderson University to:
- Be lawful, fair, and transparent about the personal data we collect/process.
- Collect personal data only for specified, explicit, and legitimate purposes.
- Collect only personal data that is required and relevant to the specified purpose.
- Have a process in place to erase/cease processing collected personal data identified as irrelevant and unnecessary.
- Ensure data accuracy and have a procedure to correct or erase inaccurate data swiftly.
- Retain personal data only while necessary.
- Appropriately secure personal data, including protecting against unauthorized or unlawful processing.
What is protected under the GDPR?
In general, the GDPR covers the collection, storage, and/or use of personal data for functions or activities which meet any of the following:
- Take place in the EU
- Involve outreach to EU residents to offer goods or services
- Track EU residents online or involve the control or processing of data relating to EU residents.
What is “personal data” according to GDPR?
The GDPR greatly broadens the definition of personal data. Accordingly, personal data includes:
- Basic identity information such as ID numbers, names, and addresses of various types
- Web data such as location, IP address, cookie data and RFID tags
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What is Anderson University doing?
A core team, including members from the Office of Information Technology, International Programs, Human Resources, the Office of the University Registrar, the Office of Financial Services, and the Office of Admission, is coordinating with legal counsel to evaluate and plan for compliance with the GDPR. This group will be working closely with select departments across campus to ensure that we are respecting the newest elements of what are considered personal and sensitive data under GDPR.
If you have questions about the GDPR or how it may apply to your department, unit, or person, please contact Jason Ritchie, GDPR Team Lead and Director of Information Services at firstname.lastname@example.org.