GDPR Overview
The General Data Protection Regulation is a privacy law that applies to the personal information collected in or from the European Union (EU), or that is related to goods or services offered in the EU, or that involves the monitoring of individuals in the EU.
How does this affect us at FGCU?
Although this is an EU regulation, it has significant potential to impact U.S. systems. Three major categories of data are most likely to be affected: data collected on students from the EU (e.g., international students), human resources data (e.g., data collected from or on staff or faculty living or working in the EU) and marketing data (e.g., data collected from a potential student living in the EU who is interested in FGCU).
This overview provides guidance identifying business solutions where GDPR may apply. Please consult the Office of Institutional Equity and Compliance or the Office of General Counsel for further information and direction in applying GDPR.
Key Principles of GDPR
Lawfulness, Fairness and Transparency
Toggle More InfoPurpose Limitation
Toggle More InfoData Minimization
Toggle More InfoAccuracy
Toggle More InfoStorage Limitation
Toggle More InfoIntegrity and Confidentiality
Toggle More InfoAccountability
Toggle More Info
GDPR Terminology
The following terms are essential components of the regulation
Personal Data
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer
数据保护官是在企业中正式负责数据保护合规的人。Not every business will need to appoint a data protection officer – you need to do so if:
- Your organization is a public authority; or
- You carry out large-scale systematic monitoring of individuals (for example, online behavior tracking); or
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
Consent
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Processor
与DPA不同,GDPR为数据处理器引入了特定的职责。这些是代表数据控制器处理数据的第三方,包括IT服务提供商。
CONTROLLER/DATA CONTROLLER
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Right to be Forgotten
The right to erasure of personal data or ‘the right to be forgotten' enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
Pseudonymous Data
Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.
Frequently Asked Questions
What rules govern data collection under GDPR?
Toggle More InfoGDPR影响谁?
Toggle More InfoWhat actions should I be taking to comply with GDPR?
Toggle More InfoWhat are the penalties for not complying?
Toggle More InfoWho are the EU member states?
Toggle More Info
Additional GDPR Resources
The following are resources that should help provide you with a better understanding of the regulation; specifically, how it relates to U.S. institutes of higher education.
- Official EU GDPR Site
- EDUCAUSE Resources
- EU GDPR Informational Site
- EAB GDPR Article
- AACRAO - Comparing GDPR and FERPA
- Inside Higher Ed Article
Please consult theOffice of Institutional Equity and Complianceor the Office ofGeneral Counselfor further information and direction in applying GDPR.
