What is GDPR?
- The European Union recently introduced privacy regulations known as the EU General Data Protection Regulation (GDPR).
- The GDPR potentially affects how the University stores and processes information on “data subjects” who are in the European Union (EU). This could relate to instances where the University offers services to EU data subjects or to any monitoring of EU data subjects.
- This could include various activities involving EU residents, such as admissions, online education, research, recruitment and employment, development, website activity (if personal information is tracked), and study abroad.
- The GDPR goes into effect on 05/25/2018.
What action is the University of Missouri taking and who do I contact for questions?
A workgroup of individuals meets regularly to determine the ways that GDPR requirements can be integrated with University processes. Specific areas that are being addressed are:
- Students/Coursework – Personal information related to students’ admissions, registration, fee payment, financial aid, course work, etc. is needed by the University to manage its relationships with applicants and students, meet legal obligations, and carry out activities in the legitimate interests of the public and the University. Information about the University’s collection and processing of personal information of applicants and students who are covered by the GDPR can be found here.
- Human Resources – GDPR may apply to University recruiting and employment activities in some specific circumstances involving EU residents. HR staff will work with the Office of the General Counsel to address these situations.
- Contact: Work with your campus HR staff if you have specific questions.
- Research – The campus Research Offices will need to address specific questions about compliance as each research project may be impacted differently.
- Technical – In adherence with existing UM security measures; data affected by the GDPR must be protected according to the University Data Classification System (DCS). The data as described by the GDPR falls under DCL 3 which governs how data is stored, transmitted and accessed.
- Contact: Work with your campus Information Security Officer and IT staff if you have specific questions.
As an employee, what do you need to do?
- Be informed: If you work in or oversee a department that handles information about EU citizens or residents, be familiar with the regulation and its requirements. For immediate concerns, work with your campus Registrar, Human Resources, Research, and IT offices to determine what measures must be taken.
- You do not need to take any action on your own. Consult with appropriate contacts noted above before taking any specific actions. It will take some time for a more precise understanding of how GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. The University of Missouri will be paying close attention to the evolution of the law’s compliance requirements over the coming years and will respond as needed.
Whose data does the GDPR protect?
The GDPR protects personal data of data subjects located in the EU. GDPR applies to EU data subjects regardless of their citizenship or nationality. Much like an American in Paris would need to follow Paris traffic regulations, that same American’s personal data would be protected by the GDPR while in France. This is the concept of territoriality—GDPR protects all data subjects within EU borders.
What constitutes personal data?
Personal data are any information about an identified or identifiable data subject, which can include direct identifiers, such as name, address, email address, and national identification numbers, or indirect identifiers such as location data or IP address. This list of data elements is not exhaustive, and the definition of personal data under GDPR may be broad.
Who does the GDPR affect?
Organizations (regardless of where they are located) that offer goods or services to people in the EU or that collect data on people located in the EU also must follow GDPR.
What do employees need to do if we receive inquiries about how we handle GDPR data?
For guidance dealing with these inquiries use the campus contacts as appropriate. Any further questions can be directed to the Office of the General Counsel.
What do employees do if a vendor or third-party provider contacts us about GDPR?
GDPR is a current hot-topic for vendors and the media to fill our phones and inboxes. For the most part these unsolicited messages should be ignored. If a vendor or third-party contacts you specific to an existing University agreement, refer the matter to the appropriate campus contact. If the media contacts you, follow your campus media policy and procedures.