European Union (EU) General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation enacted on May 25, 2018, protects and empowers all EU citizens' data privacy and reshapes the way organizations across the region approach data privacy.
The GDPR applies to entities located outside of the EU who control or process personal data of anyone who is in the EU, regardless of EU citizenship. This includes organizations that offer goods or services to, or monitors the behavior of, people inside the EU. GDPR applies even if the processing takes place outside of the EU. This includes members of the Duquesne University community who may be residing (permanently or temporarily) in the EU, and EU citizens who attend or work for Duquesne University. This regulation also includes EU citizens who participate in campus activities including alumni organizations, mailing lists, forums, or other functions.
General Requirements of GDPR
The GDPR is focused on the personal data of EU data subjects. This includes information that directly or indirectly could identify an individual through the use of what is deemed personal data. Personal data is any information about an identified or identifiable EU data subject and includes names, addresses, phone numbers, date of birth, and also online identifiers (including IP addresses), cookie identifiers, location data (e.g. GPS coordinates) and device information. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, and sexual orientation are also deemed personal data under GDPR.
The GDPR gives EU data subjects significant rights over how their personal data is collected, processed, and transferred. They have the right to, among other things:
- Access any data that an organization has collected about them and receive that access within 30 days of notice;
- Know why an organization is processing their personal data and the categories of personal data that an organization processes;
- Correct any errors in personal data collected or processed by an organization;
- Learn with whom or what third-party organization their information has been shared;
- Know how long an organization will store their personal data; and
- Under certain circumstances and conditions, invoke the "right to be forgotten," at which the organization will de-identify the individual's personal data within 30 days of notice.
From an organizational perspective, GDPR requires data protection safeguards be implemented and imposes a number of obligations. An organization must:
- Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
- Minimize the collection and processing of personal data whenever possible;
- Protect any personal data that it collects and uses;
- Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change;
- Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
- Have a breach notification policy and notify authorities within 72 hours of declaration of the breach.
GDPR at Duquesne University
Duquesne University has established a GDPR committee that provides guidance about the regulation. Since there are members of the Duquesne University community that are EU data subjects that reside (permanently or temporarily) in the EU, the University will comply with the GDPR regulation
Data Subjects may inquire about their rights or procedures at any time via firstname.lastname@example.org. Duquesne University business units should be able to demonstrate how they meet the requirements listed above and may consult with the GDPR Committee for any questions, concerns or resource needs including conducting a data protection impact assessment by emailing email@example.com.
The University Technologies policies including TAP 26, CTS Data Governance Service Requirements, Information Security Service Requirements, and other policies and service requirements listed at https://duq.edu/cts/policies define appropriate and reasonable privacy and security measures. Additionally the University Information Security Incident Response Plan (IRP) addresses the 72-hour breach notification requirements. Incidents can be reported via email to firstname.lastname@example.org or by calling 412.396.4357 (HELP) 24/7.