European Union General Data Protection Regulation (GDPR) Compliance
What is the GDPR? The General Data Protection Regulation (GDPR) is a privacy law that is interpreted and enforced by all countries in the EU (and Switzerland). The GDPR became effective in May 2018. It is based on the premise that each person has the fundamental right to control their personal data and how it is used.
GDPR Expands the Definition of Personal Data
Personal Data means any information that can identify a person, directly or indirectly, such as a name, birthdate, address, id number, location data, IP address, or a factor specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
The GDPR provides extra protection to some personal data such as: racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic data; biometric data; health data; and sex life or sexual orientation.
NOTE: The GDPR protects data that ASU could otherwise share, e.g., names, email addresses, and birth dates.
GDPR Applications List
The current list of GDPR applications can be viewed here.
How to Drive a Culture of Privacy at ASU – Privacy by Design and Default
Collect only personal data that ASU truly needs, and keep it only as long as necessary
Clearly communicate what data is being collected and how it will be used
Obtain and track consent from each data subject
Anonymize or pseudonymize personal data before sharing, transmitting, or storing
Limit access to personal data, both within and outside of ASU
Use secure systems, networks, programs, and devices
Require third parties (vendors and contract partners) to use information security best practices
Only use marketing or tracking cookies with consent
Do not pre-check “yes” or automatically opt in anyone on any personal data use consents
Ensure third parties have obtained necessary consents before purchasing personal data from them
Resources:
Data Privacy Impact Assessment
GDPR Data Processing Agreement (DPA) Guidance
GDPR Guidance for Collecting and Using Data
Privacy Guidance for (RFI’s) Request for Information.