Educause Security Discussion mailing list archives

Re: EU's GDPR - is anyone worrying/doing anything?

From: Joanna Grama <jgrama () EDUCAUSE EDU>
Date: Mon, 21 Aug 2017 17:56:23 +0000

Hello everyone,
I promised to update you all as GDPR materials are published.  Please note that a Security Matters blog on GDPR was 
published last week.  You can find that blog here:  http://er.educause.edu/blogs/2017/8/gdpr-a-data-regulation-to-watch 

For those of you attending the EDUCAUSE Annual Conference, you can find information on the GDPR session here: 
https://events.educause.edu/annual-conference/2017/agenda/the-new-eu-general-data-protection-regulations-what-it-specialists-need-to-know
 
(Session information is in the process of being uploaded; but the date/time information is correct.)

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna 
Grama
Sent: Tuesday, June 06, 2017 8:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?

Hi Everyone,
EDUCAUSE is working to marshal some GDPR resources for IT professionals.  The National Association of College and 
University Attorneys (NACUA) will be presenting a panel presentation on GDPR at the EDUCAUSE Annual Conference this 
fall. In addition, our policy director, Jarret Cummings, is working with another organization to source some blogs and 
other online content about GDPR.  As materials are published, I will be sure to send an alert to this list.

Kind regards,
Joanna 


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu 






-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim 
Dillon
Sent: Monday, June 5, 2017 1:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?

Laura,

No plans (solid/documented/complete) I'm aware of yet, but our compliance audit manager is fairly concerned about its 
potential impact and we are gathering opinions and researching the topic.  Her sense is we will need to take steps to 
comply.  Not being a legal expert myself I'm always in jurisdictional quandaries about regulations from other nations 
and in other states (remember California's privacy rules?) and how those could have tangible impact, but so far people 
closer to this issue than I believe it to be real.  Since CU is very heavily reaching out to international students we 
may have this problem to a greater degree than others.

Sorry nothing specific to report other than it does pay to pay attention here.  I suggest taking this to compliance and 
legal folks for interpretation as they will (or should) have a more sound understanding of the implications.  My 
impression is that if we advertise and register students in GDPR nations we are definitely accountable for any actions 
there, and that given the typical Internet jurisdictional concerns, we probably are here as well.  I don't have a 
handle on what that means from an operational standpoint yet but it looks a bit onerous to me at the moment.  Yet 
another set of demands to add to your favorite cross-walk.

Might be a good question for the privacy/policy forums if you don't mind cross-posting a bit.

Best regards,

Jim Dillon

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon Director of IT Audit Services, CU Internal Audit
303-735-7028

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura 
Raderman
Sent: Monday, June 05, 2017 10:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything?

Is there any institution that’s worried about or otherwise doing anything about the GDPR and getting ready for the May 
2018 “deadline”?  If so, would you be willing to give me a quick overview of what you’re including in your plans?

Thanks,
Laura

Laura Raderman
ISO Policy & Compliance Coordinator
Carnegie Mellon University
lraderman () cmu edu

Current thread:

Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Jul 03)
- <Possible follow-ups>
- Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Aug 21)
  - Re: EU's GDPR - is anyone worrying/doing anything? Ken Connelly (Aug 21)
    - Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Aug 21)
    - Re: EU's GDPR - is anyone worrying/doing anything? Ken Connelly (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Conlee, Keith (Aug 30)
  - Re: EU's GDPR - is anyone worrying/doing anything? Chris Garriss (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? Valerie Vogel (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? David Stack (Aug 30)
  - Re: EU's GDPR - is anyone worrying/doing anything? Penn, Blake C (Aug 30)