The General Data Protection Regulation (GDPR) replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.  It became effective on May 25, 2018.

Who does GDPR apply to?

GDPR applies not only to organizations that process data in the EU, but also to any organization that offers goods or services to, or monitors the behavior of, people inside the EU. GDPR applies even if the processing takes place outside of the EU.

Which data elements fall under GDPR?

GDPR applies to information that directly or indirectly could identify an individual.  This includes names, addresses, phone numbers, dates of birth, as well as IP addresses, cookie identifiers, device information, advertising identifiers, financial information, geo-location information, social media information, consumer preferences, etc.

Who does GDPR protect?

EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami (UM) community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.

What constitutes personal data?

Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.

What rights are afforded by GDPR?

GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:

• Access any data that an organization has collected about the individual;
• Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
• Correct any errors in personal data collected or processed by an organization;
• Know how long an organization will store the individual’s personal data; and
• Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).
• From an organizational perspective, GDPR requires significant data protection safeguards be implemented and imposes a number of obligations; notable requirements include that the organization:
• Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
• Minimize the collection and processing of personal data whenever possible;
• Protect any personal data that it collects and uses;
• Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts, and continuously monitor both the risks and the mitigation plan for change;
• Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
• Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.

How will GDPR impact UM?

EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.

Since UM handles data related to these individuals, the University will need to show a path to compliance by May 25, 2018. GDPR imposes penalties on organizations that fail to comply.

GDPR will affect all aspects of UM operations, including the methods used to collect, store, and process data, including active and passive collection on websites; how UM shares data with third parties; contractual agreements; research; recruiting; alumni relations; study abroad; and online learning. Additionally, business processes and systems will be examined.

UM must have a documented legal basis for collecting and processing the personal data of EU data subjects. There are two basic categories of legal basis: (1) consent from the data subject, and (2) one of the specified business reasons for processing data.

UM must specifically be able to point to consent or to one of the stated business purposes as the reason for processing data. GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated in the consent document.

What is UM doing?

In response to the new regulation, UM has formed a GDPR working group, which consists of a full committee and a core committee, to address the requirements of the European Union’s (EU) General Data Protection Regulation (GDPR).

The working group has been established to create a project plan to address GDPR, which includes identifying data used by UM offices and schools and creating standards on how to handle and protect that data. 

UM’s GDPR working group will take the following steps to address not only GDPR, but to formalize a University-wide robust privacy program:

1. Build: Develop a comprehensive communications plan and formalize the project team
2. Assess: Survey departments to identify and assess data that needs protection, addressing critical business functions first;
3. Implement: Apply a prioritized approach to addressing the critical controls; develop processes, policies, and procedures; and develop training;
4. Manage: Manage and master data processes and related data through established controls;
5. Demonstrate: Establish sustainability in how privacy risk is managed, monitored, and assessed through self-assessment capabilities; maintain required evidence.

How can you help?

The University has undertaken steps to identify and map EU data throughout the University and will be asking for the participation of many of our departments and units throughout the University to address these requirements.

In order for compliance with GDPR to be successful, we will need your support. If you work with UM data, look for communications from the GDPR project team. We will be meeting with UM departments and units to identify EU data and to talk about next steps.

Compliance survey

The GDPR working group is in the process of conducting a survey and is distributing a questionnaire designed to assess the ways in which units currently handle EU personal data to identified recipients in various departments and units.

If your unit has not already completed and submitted the questionnaire, and you believe that your unit may store, transfer, maintain, or market EU data, we ask that you please complete and submit the EU-GDPR Survey.

Resources

• Protection of Personal Data in the EU – Fact Sheet
• General Data Protection Regulation
• European Commission Data Protection
• GDPR (Searchable Feature)

Additional Information

• GDPR Guide
• UM-GDPR-PowerPoint

Office of University Compliance Services

Data Protection Officer

Hilary Cox, JD, CIPP/US
Executive Director, University & Research Privacy
1320 South Dixie Highway, Suite 1160
Gables One Tower
Coral Gables, FL 33146
Phone: 305-243-7376
Email: hxc823@miami.edu

Office of University Compliance Services

Nelson E. Perez, JD, CCEP
Executive Director
1320 South Dixie Highway
Gables One Tower, Suite 700
Coral Gables, FL 33146
Phone: 305-284-2924
Fax: 305-284-4804
Email: nelsonperez@miami.edu