Effective May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) imposes data privacy and data protection requirements on entities that control or process personal data about people in the 28 member countries of the European Union (“EU”) as well as countries located in the European Economic Area (“EEA”). GDPR’s requirements apply to entities located outside of the EU who control or process the personal data of anyone who is in the EU, regardless of EU citizenship.
The GDPR is primarily focused on data privacy for EU data subjects. It also requires appropriate and reasonable data security measures.
GDPR is focused on the personal data of EU data subjects. Personal data is any information about an identified or identifiable EU data subject and includes name, address, online identifiers (including IP addresses), location data (e.g. GPS coordinates), email address, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, and sexual orientation.
The GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred.
Under GDPR, EU data subjects have the right to, among other things:
- Access any data that an organization has collected about them;
- Know why an organization is processing their personal data and the categories of personal data that an organization processes;
- Correct any errors in personal data collected or processed by an organization;
- Know how long an organization will store their personal data; and
- Under certain circumstances, require the organization to permanently delete the individual’s personal data, aka the “right to be forgotten”
From an organizational perspective, GDPR requires data protection safeguards be implemented and imposes a number of obligations:
- Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
- Minimize the collection and processing of personal data whenever possible;
- Protect any personal data that it collects and uses;
- Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change;
- Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
- Have a breach notification policy and notify authorities within 72 hours of learning of the breach.
GDPR at Carnegie Mellon
Data Subjects may inquire about their rights or procedures at any time via GDPR-Info@andrew.cmu.edu.
Business units should be able to demonstrate how they meet the requirements listed above and may consult with the GDPR team at GDPR-Info@andrew.cmu.edu for any questions, concerns, or resource needs, e.g., conducting a data protection impact assessment.
The Procedure for Responding to a Compromised Computer provides direction to community members to report concerns to the Information Security Office. The Information Security Office’s Incident Response Plan addresses the 72 hour breach notice requirement.
Other offices include GDPR review and requirements in their standard business procedures, e.g., University Contracts Office, Office of Sponsored Programs, Office of the General Counsel, etc.