European Union General Data Protection Regulation (GDPR) Compliance

What is the GDPR? The General Data Protection Regulation (GDPR) is a privacy law that is interpreted and enforced by all countries in the EU (and Switzerland). The GDPR became effective in May 2018. It is based on the premise that each person has the fundamental right to control their personal data and how it is used.

GDPR Expands the Definition of Personal Data

Personal Data means any information that can identify a person, directly or indirectly, such as a name, birthdate, address, id number, location data, IP address, or a factor specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

The GDPR provides extra protection to some personal data such as: racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic data; biometric data; health data; and sex life or sexual orientation.

NOTE: The GDPR protects data that ASU could otherwise share, e.g., names, email addresses, and birth dates.

GDPR Applications List

The current list of GDPR applications can be viewed here.

How to Drive a Culture of Privacy at ASU – Privacy by Design and Default

Collect only personal data that ASU truly needs, and keep it only as long as necessary 

Clearly communicate what data is being collected and how it will be used 

Obtain and track consent from each data subject 

Anonymize or pseudonymize personal data before sharing, transmitting, or storing 

Limit access to personal data, both within and outside of ASU 

Use secure systems, networks, programs, and devices 

Require third parties (vendors and contract partners) to use information security best practices  

Only use marketing or tracking cookies with consent 

Do not pre-check “yes” or automatically opt in anyone on any personal data use consents 

Ensure third parties have obtained necessary consents before purchasing personal data from them

Resources:

Data Privacy Impact Assessment

GDPR Data Processing Agreement (DPA) Guidance

GDPR FAQ page

GDPR Guidance for Collecting and Using Data

GDPR One Page Summary

GDPR 3rd Party Guidance

Privacy by Design

Privacy Guidance for (RFI’s) Request for Information.

Privacy Guidance for Social Media

ASU Standard Terms and Conditions