The General Data Protection Regulation (GDPR) replaces the Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. It will become effective on May 25, 2018.
GDPR applies not only to organizations that process data in the EU, but also to any organization that offers goods or services to, or monitors the behavior of, people inside the EU. GDPR applies even if the processing takes place outside of the EU.
GDPR applies to information that directly or indirectly could identify an individual. This includes names, addresses, phone numbers, dates of birth, as well as IP addresses, cookie identifiers, device information, advertising identifiers, financial information, geo-location information, social media information, consumer preferences, etc.
EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami (UM) community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.
Any information related to a natural person or “data subject” that can be used to directly or indirectly identify the person.
GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:
EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the University of Miami community who may be residing (permanently or temporarily) in the EU, and EU residents who attend or work for UM.
Since UM handles data related to these individuals, the University will need to show a path to compliance by May 25, 2018. GDPR imposes penalties on organizations that fail to comply.
GDPR will affect all aspects of UM operations, including the methods used to collect, store, and process data, including active and passive collection on websites; how UM shares data with third parties; contractual agreements; research; recruiting; alumni relations; study abroad; and online learning. Additionally, business processes and systems will be examined.
UM must have a documented legal basis for collecting and processing the personal data of EU data subjects. There are two basic categories of legal basis: (1) consent from the data subject, and (2) one of the specified business reasons for processing data.
UM must specifically be able to point to consent or to one of the stated business purposes as the reason for processing data. GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated in the consent document.
In response to the new regulation, UM has formed a GDPR working group, which consists of a full committee and a core committee, to address the requirements of the European Union’s (EU) General Data Protection Regulation (GDPR).
The working group has been established to create a project plan to address GDPR, which includes identifying data used by UM offices and schools and creating standards on how to handle and protect that data.
UM’s GDPR working group will take the following steps to address not only GDPR, but to formalize a University-wide robust privacy program:
The University has undertaken steps to identify and map EU data throughout the University and will be asking for the participation of many of our departments and units throughout the University to address these requirements.
In order for compliance with GDPR to be successful, we will need your support. If you work with UM data, look for communications from the GDPR project team. We will be meeting with UM departments and units to identify EU data and to talk about next steps.
The GDPR working group is in the process of conducting a survey and is distributing a questionnaire designed to assess the ways in which units currently handle EU personal data to identified recipients in various departments and units.
If your unit has not already completed and submitted the questionnaire, and you believe that your unit may store, transfer, maintain, or market EU data, we ask that you please complete and submit the EU-GDPR Survey.
Nelson E. Perez, JD, CCEP
Executive Director
1320 South Dixie Highway
Gables One Tower, Suite 700
Coral Gables, FL 33146
Phone: (305) 284-2924
Fax: (305) 284-4804
Email: nelsonperez@miami.edu
Helenmarie Mirle Blake, ESQ
Soffer Clinical Research Center, Ste. 1120
1120 NW 14th St.
Miami, FL 33136
Phone: (305) 243-5000
Email: hmb33@miami.edu