By Scott Seaborn. On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went live, significantly changing the international privacy landscape and raising the regulatory stakes for institutions and companies working with the personal data of persons in Europe.
Expansion of individual privacy rights
GDPR expands the suite of rights for individual data subjects beyond those guaranteed by prior European law and goes even further than benchmark United States privacy laws governing health care and educational records, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA). Some of the rights guaranteed to data subjects under GDPR include:
- The right to be informed regarding the collection and intended use of a subject’s personal data,
- The ability to make informed decisions regarding the use and disclosure of the data,
- The right to access the data upon request or have the data transferred to a third party, and
- The right to have the data returned or deleted.
Data elements protected by the GDPR
In relation to prior privacy regulations, the GDPR further broadens the scope of data elements considered confidential.
GDPR protections apply to “personal data,” defined as any identifiable information relating to a natural person. In addition to standard identifiers, such as a data subject’s name, address, phone number, IP address, email address, and photographic image, the GDPR also protects sensitive categories of data such as the data subject’s race or ethnic origin, religious or philosophical beliefs, political opinions and preferences, trade union membership, health information, genetic information, and biometric data. For these special categories of sensitive data, the GDPR imposes additional protections, and often requires the consent of a data subject in order for the data to be collected and processed.
Though GDPR is a European Union law, its tentacles reach far beyond Europe’s shores. This is because any organization that processes or monitors the personal data of persons in the European Economic Area (EEA), which includes European Union member states, as well as Iceland, Lichtenstein, and Norway (regardless of whether or not the organization is based in Europe), is subject to its requirements. Thus, US organizations, such as UC, that accept applicant data from students in the EEA, conduct research on human subjects in the EEA, and send thousands of students to study abroad in the EEA are subject to GDPR for these activities. Current UC programs impacted by GDPR include:
- Education Abroad
- International research
- Admissions and recruitment
- UC Press
- Concierge medical services
- Office of Institutional Advancement
- UC’S UK Trust
and others that interact with persons in the EEA.
For each impacted program, UC is required to:
- Determine the lawful basis for processing the personal data of EEA data subjects,
- Implement “Privacy by Design,” building privacy safeguards into its processing activities prior to the collection of personal data of EEA data subjects,
- Conduct a Data Protection Impact Assessment when required, which assesses the safeguards that protect the personal data of EEA data subjects,
- Notify data subjects in a clear and transparent manner regarding the personal data collected and how the data will be processed and shared,
- Obtain a data subject’s consent for certain types of processing,
- Ensure that third parties that receive personal data of EEA data subjects adhere to the requirements of GDPR, and
- Develop a GDPR-compliant process for responding to individual data subject’s requests regarding the data about them that has been collected and processed.
Penalties and enforcement
The GDPR specifies strict penalties for organizations that fail to comply with the GDPR, with potential fines of up to 20 million Euros or 4 percent of global revenue.
The first formal enforcement action under GDPR was initiated in July by the United Kingdom’s Information Commissioner’s Office against a Canadian analytics firm, AggregateIQ Data Services. Current European Union Data Protection Supervisor Giovanni Buttarelli has indicated that he expects the first fines to be levied under GDPR by the end of the year.
In response to GDPR, UC’s legal, information technology, and compliance functions have initiated a GDPR compliance implementation program that is spearheaded by the privacy official at each UC location. To assist location privacy officials in implementing the GDPR Compliance Program, UCOP’s GDPR team has developed a library of operational tools and legal advisories specifically designed for each required compliance process under GDPR. These tools and advisories are available on a Box site and have also been organized into a compliance framework that is available internally to all UC employees on the Ethics, Compliance and Audit Services (ECAS) SharePoint site.
For questions regarding GDPR, as well as access to the Box site and/or ECAS GDPR Compliance Framework SharePoint site, please contact your UC location’s privacy official.
Scott Seaborn is privacy manager at the UC Office of the President.