GDPR and Data Protection

What is GDPR?

The General Data Protection Regulation (GDPR) is the new European Union (EU) privacy law governing how institutions handle personal data of EU citizens.

This Regulation goes in to effect beginning May 25, 2018. Failing to comply can result in fines.

GDPR outlines several rights of the individual for explicit consent on how personal data can be used processed, transmitted, and how such data must be protected. This means that an institution is required to record any and all processes it has for collecting, using and managing personal data. The institution is also required to maintain records of consent for such data.

How is your personal data defined?

“Personal data" is define as any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

• A name
• An identification number
• Location data
• Online identifier
• Or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person

Does GDPR only apply to the University of St. Francis campuses in the EU?

GDPR applies to all EU subjects, regardless of where they are studying. In practice, the processes the University of St. Francis is putting in place to comply with GDPR will apply to all campuses and all the university constituents (e.g. prospective students, active students, employees, alumni) regardless of their country of citizenship.

In summary, all University of St. Francis campuses and operations must comply.

When are we allowed to process personal data?

The conditions for processing personal data under GDPR include:

• Consent of the data subject
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• Processing is necessary for compliance with a legal obligation
• Processing is necessary to protect the vital interests of a data subject or another person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

What is required for consent?

There are several requirements to establish consent under GDPR:

• Consent must be freely given, specific, informed and unambiguous.
• Consent requires some form of clear affirmative action. ("Opt-out" or silence does not constitute consent)
• Consent must be demonstrable. A record must be kept of how and when consent was given.
• Individuals have the right to withdraw consent at any time.

What rights does the individual have under GDPR?

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erase
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling