The General Data Protection Regulation (GDPR) replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.  It became effective on May 25, 2018.

Who does GDPR apply to?

GDPR applies not only to organizations that process data in the EU, but also to any organization that offers goods or services to, or monitors the behavior of, people inside the EU. GDPR applies even if the processing takes place outside of the EU.

Which data elements fall under GDPR?

GDPR applies to information that directly or indirectly could identify an individual.  This includes names, addresses, phone numbers, dates of birth, as well as IP addresses, cookie identifiers, device information, advertising identifiers, financial information, geo-location information, social media information, consumer preferences, etc.

Who does GDPR protect?

EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami (UM) community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.

What constitutes personal data?

Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.

What rights are afforded by GDPR?

GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:

• Access any data that an organization has collected about the individual;
• Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
• Correct any errors in personal data collected or processed by an organization;
• Know how long an organization will store the individual’s personal data; and
• Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).
• From an organizational perspective, GDPR requires significant data protection safeguards be implemented and imposes a number of obligations; notable requirements include that the organization:
• Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
• Minimize the collection and processing of personal data whenever possible;
• Protect any personal data that it collects and uses;
• Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts, and continuously monitor both the risks and the mitigation plan for change;
• Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
• Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.

How will GDPR impact UM?

EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.

Since UM handles data related to these individuals, the University will need to show a path to compliance by May 25, 2018. GDPR imposes penalties on organizations that fail to comply.

GDPR will affect all aspects of UM operations, including the methods used to collect, store, and process data, including active and passive collection on websites; how UM shares data with third parties; contractual agreements; research; recruiting; alumni relations; study abroad; and online learning. Additionally, business processes and systems will be examined.

UM must have a documented legal basis for collecting and processing the personal data of EU data subjects. There are two basic categories of legal basis: (1) consent from the data subject, and (2) one of the specified business reasons for processing data.

UM must specifically be able to point to consent or to one of the stated business purposes as the reason for processing data. GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated in the consent document.

How can you help?

If you work with UM data, which you believe is EU data that your unit may be storing, transferring, maintaining, or marketing, we ask that you please contact the Office of University Compliance Services.

Data Subject Access Request (DSAR)

GDPR and the UK Data Protection Act 2018 confer several rights on individuals about whom the University holds and processes personal data, which includes access and erasure. The University must administer requests from individuals relating to these rights.

Any DSARs should be sent via email to: ucs@Miami.edu.

Resources

• Protection of Personal Data in the EU – Fact Sheet
• General Data Protection Regulation
• European Commission Data Protection
• GDPR (Searchable Feature)

Additional Information

• GDPR Guide
• UM-GDPR-PowerPoint

Office of University Compliance Services

Office of University Compliance Services

Nelson E. Perez, JD, CCEP
Executive Director
1320 South Dixie Highway
Gables One Tower, Suite 700
Coral Gables, FL 33146
Phone: 305-284-2924
Fax: 305-284-4804
Email: nelsonperez@miami.edu