Re: EU's GDPR - is anyone worrying/doing anything?

[Chris Garriss <chris_garriss () UNC EDU>]

I quite agree as to a great topic.  From Educause Review not too long ago:

    The European Union (EU) General Data Protection Regulation (GDPR)
    <http://www.eugdpr.org/>, adopted in April 2016, is a regulation
    that is intended to broadly and conclusively provide data privacy
    and security protection for residents of the EU. It becomes
    effective May 25, 2018. The GDPR is binding on all 28 EU member
    states and will immediately repeal previous data regulations,
    including the 1995 EU Data Protection Directive.1 The GDPR has a
    wider reach and broader scope than the EU Data Protection Directive.
    The GDPR can in many cases apply to U.S. higher education
    institutions if those institutions control or process data about
    residents of the EU. Unlike prior laws, the GDPR takes the position
    that residents of the EU should not be deprived of security and
    privacy protections solely because a business or organization that
    targets those residents is located elsewhere.

Note that it is residents, not citizens.  If you have Summer Abroad or
similar programs, the personnel (students, staff, etc) are all covered
by GDPR at least while in the EU.  Transferring certain information back
to the USA - or other countries - could be a GDPR violation.  There are
situations, which in the USA would be Title IX violation, where
transferring information back to USA would be a GDPR violation.  With
potential fines of €20 million or 4% of gross annual revenues, which
ever is larger is a great reason for in depth understanding.

If you read the Regulation, you will see that in some circumstances
there is an allowance for transferring data required by law:  this only
applies to EU law, not the law of any other country.  The next year
until it comes into effect, and the first several after, will likely be
quite interesting.

On 8/30/2017 1:17 PM, Conlee, Keith wrote:
>  
> Great Topic. 
>  
> I pulled some language from the blog pertaining to the scope of GDPR
> (indented below).  Even though it says that the "language is quite
> broad and will conceivably cover almost any website on the Internet"
> offering goods or services and collecting PII on the "data subjects." 
> I cannot believe that it would apply to every local mom-and-pop
> retailer, or even national US-only retailer who do not "actively"
> offer goods or services to EU residents.  Or anything about EU
> residents actions while physically not in the EU.  But since GDPR is
> not effective until May 2018, no courts have interpreted GDPR yet.  If
> a local institution/company is not actively advertising in the EU
> (e.g. spending advertising $$$ in the EU), my _non-expert_ opinion is
> that they should not be "in-scope" of the GDPR just because someone in
> the EU can find their website and order goods/services to be shipped
> (name and address are PII), or take an online class.  Said another
> way, just because you can find a US-only website to purchase
> goods/services should not put website owner in scope of GDPR.   Yes we
> go through great pains to protect all of our student data, but right
> now it may not be GDPR compliant.  But I will definitely pass this on
> to our general counsel to research further and for a more expert analysis.
>  
> Maybe you can disclaim being Non-GDPR compliant if you only “actively”
> advertise (versus “passively” advertise just by virtue of having a
> website on the internet) in the US (or smaller region).  The
> disclaimer could warn EU residents about an institution/company maybe
> not being GDPR compliant in the event someone googles a product or
> service and finds it available at a US-only advertising
> company/institution.   Again, IMHO.  Again, I will pass to our general
> counsel.  And it will be for the courts to decide.  Who wants to be
> the first guinea pig J (some humor).
>  
>  
> The GDPR applies to any organization established outside of the EU
> that processes any personally identifiable data (called "personal
> data" in the GDPR) about residents of the EU (called "data subjects"
> in the GDPR) when that processing is related to either:
>  
> a) "the offering of goods or services, irrespective of whether a
> payment of the data subject is required, to such data subjects in the
> Union; or
>  
> b) the monitoring of their behaviour as far as their behaviour takes
> place within the Union."
>  
> This language is quite broad and will conceivably cover almost any
> website on the Internet that is globally available, offers goods or
> services, and collects personal information of any kind.
>  
>  
>  
>  
> Keith Conlee, JD, MS/BS, PCIP, CISSP, CISA, CBCP
> Chief Security Officer, IT
> College of DuPage
> 425 Fawell Blvd.
> Glen Ellyn, IL 60137-6599
>  
> Ph. - 630.942.3055
> conlee () cod edu
>  
>  
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SECURITY
> automatic digest system
> Sent: Monday, August 21, 2017 11:00 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: SECURITY Digest - 18 Aug 2017 to 21 Aug 2017 (#2017-143)
>  
> There are 4 messages totalling 462 lines in this issue.
>  
> Topics of the day:
>  
>   1. EU's GDPR - is anyone worrying/doing anything? (4)
>  
> ----------------------------------------------------------------------
>  
> Date:    Mon, 21 Aug 2017 17:56:23 +0000
> From:    Joanna Grama <jgrama () EDUCAUSE EDU <mailto:jgrama () EDUCAUSE EDU>>
> Subject: Re: EU's GDPR - is anyone worrying/doing anything?
>  
> Hello everyone,
> I promised to update you all as GDPR materials are published.  Please
> note that a Security Matters blog on GDPR was published last week. 
> You can find that blog here: 
> http://er.educause.edu/blogs/2017/8/gdpr-a-data-regulation-to-watch
>  
> For those of you attending the EDUCAUSE Annual Conference, you can
> find information on the GDPR session here:
> https://events.educause.edu/annual-conference/2017/agenda/the-new-eu-general-data-protection-regulations-what-it-specialists-need-to-know
> (Session information is in the process of being uploaded; but the
> date/time information is correct.)
>  
> Kind regards,
> Joanna
>  
>  
> Joanna Grama, JD, CISSP, CRISC, CIPT
> Director of Cybersecurity and IT GRC Programs
>  
> EDUCAUSE
> Uncommon Thinking for the Common Good
> 282 Century Place, Suite 5000, Louisville, CO 80027
> direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu
> <mailto:jgrama () educause edu>
>  
>  
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna Grama
> Sent: Tuesday, June 06, 2017 8:31 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
>  
> Hi Everyone,
> EDUCAUSE is working to marshal some GDPR resources for IT
> professionals.  The National Association of College and University
> Attorneys (NACUA) will be presenting a panel presentation on GDPR at
> the EDUCAUSE Annual Conference this fall. In addition, our policy
> director, Jarret Cummings, is working with another organization to
> source some blogs and other online content about GDPR.  As materials
> are published, I will be sure to send an alert to this list.
>  
> Kind regards,
> Joanna
>  
>  
> Joanna Grama, JD, CISSP, CRISC, CIPT
> Director of Cybersecurity and IT GRC Programs
>  
> EDUCAUSE
> Uncommon Thinking for the Common Good
> 282 Century Place, Suite 5000, Louisville, CO 80027
> direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu
> <mailto:jgrama () educause edu>
>  
>  
>  
>  
>  
>  
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon
> Sent: Monday, June 5, 2017 1:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
>  
> Laura,
>  
> No plans (solid/documented/complete) I'm aware of yet, but our
> compliance audit manager is fairly concerned about its potential
> impact and we are gathering opinions and researching the topic.  Her
> sense is we will need to take steps to comply.  Not being a legal
> expert myself I'm always in jurisdictional quandaries about
> regulations from other nations and in other states (remember
> California's privacy rules?) and how those could have tangible impact,
> but so far people closer to this issue than I believe it to be real. 
> Since CU is very heavily reaching out to international students we may
> have this problem to a greater degree than others.
>  
> Sorry nothing specific to report other than it does pay to pay
> attention here.  I suggest taking this to compliance and legal folks
> for interpretation as they will (or should) have a more sound
> understanding of the implications.  My impression is that if we
> advertise and register students in GDPR nations we are definitely
> accountable for any actions there, and that given the typical Internet
> jurisdictional concerns, we probably are here as well.  I don't have a
> handle on what that means from an operational standpoint yet but it
> looks a bit onerous to me at the moment.  Yet another set of demands
> to add to your favorite cross-walk.
>  
> Might be a good question for the privacy/policy forums if you don't
> mind cross-posting a bit.
>  
> Best regards,
>  
> Jim Dillon
>  
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon
> Director of IT Audit Services, CU Internal Audit
> 303-735-7028
>  
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura Raderman
> Sent: Monday, June 05, 2017 10:48 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
>  
> Is there any institution that’s worried about or otherwise doing
> anything about the GDPR and getting ready for the May 2018
> “deadline”?  If so, would you be willing to give me a quick overview
> of what you’re including in your plans?
>  
> Thanks,
> Laura
>  
> Laura Raderman
> ISO Policy & Compliance Coordinator
> Carnegie Mellon University
> lraderman () cmu edu <mailto:lraderman () cmu edu>
>  
> ------------------------------
>  
> Date:    Mon, 21 Aug 2017 14:08:35 -0500
> From:    Ken Connelly <ken.connelly () UNI EDU <mailto:ken.connelly () UNI EDU>>
> Subject: Re: EU's GDPR - is anyone worrying/doing anything?
>  
> Joanna -
>  
> Seems as though this would be a worthwhile topic for Security
> Professionals Conference as well, although next April is clearly too
> late to begin planning for this.
>  
> - ken
>  
> On 8/21/17 12:56 PM, Joanna Grama wrote:
> > Hello everyone,
> > I promised to update you all as GDPR materials are published.  Please
> > note that a Security Matters blog on GDPR was published last week. 
> > You can find that blog here:  
> > http://er.educause.edu/blogs/2017/8/gdpr-a-data-regulation-to-watch
> >
> > For those of you attending the EDUCAUSE Annual Conference, you can
> > find information on the GDPR session here: 
> > https://events.educause.edu/annual-conference/2017/agenda/the-new-eu-g
> > eneral-data-protection-regulations-what-it-specialists-need-to-know
> > (Session information is in the process of being uploaded; but the
> > date/time information is correct.)
> >
> > Kind regards,
> > Joanna
> >
> >
> > Joanna Grama, JD, CISSP, CRISC, CIPT
> > Director of Cybersecurity and IT GRC Programs
> >
> > EDUCAUSE
> > Uncommon Thinking for the Common Good
> > 282 Century Place, Suite 5000, Louisville, CO 80027
> > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna Grama
> > Sent: Tuesday, June 06, 2017 8:31 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Hi Everyone,
> > EDUCAUSE is working to marshal some GDPR resources for IT professionals.  The National Association of College and
> University Attorneys (NACUA) will be presenting a panel presentation
> on GDPR at the EDUCAUSE Annual Conference this fall. In addition, our
> policy director, Jarret Cummings, is working with another organization
> to source some blogs and other online content about GDPR.  As
> materials are published, I will be sure to send an alert to this list.
> > Kind regards,
> > Joanna
> >
> >
> > Joanna Grama, JD, CISSP, CRISC, CIPT
> > Director of Cybersecurity and IT GRC Programs
> >
> > EDUCAUSE
> > Uncommon Thinking for the Common Good
> > 282 Century Place, Suite 5000, Louisville, CO 80027
> > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon
> > Sent: Monday, June 5, 2017 1:12 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Laura,
> >
> > No plans (solid/documented/complete) I'm aware of yet, but our compliance audit manager is fairly concerned about 
> > its
> potential impact and we are gathering opinions and researching the
> topic.  Her sense is we will need to take steps to comply.  Not being
> a legal expert myself I'm always in jurisdictional quandaries about
> regulations from other nations and in other states (remember
> California's privacy rules?) and how those could have tangible impact,
> but so far people closer to this issue than I believe it to be real. 
> Since CU is very heavily reaching out to international students we may
> have this problem to a greater degree than others.
> > Sorry nothing specific to report other than it does pay to pay attention here.  I suggest taking this to compliance 
> > and
> legal folks for interpretation as they will (or should) have a more
> sound understanding of the implications.  My impression is that if we
> advertise and register students in GDPR nations we are definitely
> accountable for any actions there, and that given the typical Internet
> jurisdictional concerns, we probably are here as well.  I don't have a
> handle on what that means from an operational standpoint yet but it
> looks a bit onerous to me at the moment.  Yet another set of demands
> to add to your favorite cross-walk.
> > Might be a good question for the privacy/policy forums if you don't mind cross-posting a bit.
> >
> > Best regards,
> >
> > Jim Dillon
> >
> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon
> > Director of IT Audit Services, CU Internal Audit
> > 303-735-7028
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura Raderman
> > Sent: Monday, June 05, 2017 10:48 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Is there any institution that’s worried about or otherwise doing anything about the GDPR and getting ready for the 
> > May
> 2018 “deadline”?  If so, would you be willing to give me a quick
> overview of what you’re including in your plans?
> > Thanks,
> > Laura
> >
> > Laura Raderman
> > ISO Policy & Compliance Coordinator
> > Carnegie Mellon University
> > lraderman () cmu edu <mailto:lraderman () cmu edu>
>  
> --
> - Ken
> =================================================================
> Ken Connelly                       Director, Information Security
> Information Security Officer          University of Northern Iowa
> email: Ken.Connelly () uni edu <mailto:Ken.Connelly () uni edu>   p: (319)
> 273-5850 f: (319) 273-7373
>  
> Any request to divulge your UNI password via e-mail is fraudulent!
>  
> ------------------------------
>  
> Date:    Mon, 21 Aug 2017 20:31:12 +0000
> From:    Joanna Grama <jgrama () EDUCAUSE EDU <mailto:jgrama () EDUCAUSE EDU>>
> Subject: Re: EU's GDPR - is anyone worrying/doing anything?
>  
> Absolutely, Ken.
>  
> The call for proposals for the Security Professionals Conference will
> open in two short weeks.  If your institution has been looking into
> GDPR and has implemented a GDPR plan or process, your colleagues would
> LOVE it if you would share your knowledge at the conference.
>  
> Information about how to submit a proposal will be posted to this list
> when the call for proposals opens.
>  
> Thanks,
> Joanna
>  
>  
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
> Sent: Monday, August 21, 2017 3:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
>  
> Joanna -
>  
> Seems as though this would be a worthwhile topic for Security
> Professionals Conference as well, although next April is clearly too
> late to begin planning for this.
>  
> - ken
>  
> On 8/21/17 12:56 PM, Joanna Grama wrote:
> > Hello everyone,
> > I promised to update you all as GDPR materials are published.  Please
> > note that a Security Matters blog on GDPR was published last week.
> > You can find that blog here:  
> > http://er.educause.edu/blogs/2017/8/gdpr-a-data-regulation-to-watch
> >
> > For those of you attending the EDUCAUSE Annual Conference, you can
> > find information on the GDPR session here:
> > https://events.educause.edu/annual-conference/2017/agenda/the-new-eu-g
> > eneral-data-protection-regulations-what-it-specialists-need-to-know
> > (Session information is in the process of being uploaded; but the
> > date/time information is correct.)
> >
> > Kind regards,
> > Joanna
> >
> >
> > Joanna Grama, JD, CISSP, CRISC, CIPT
> > Director of Cybersecurity and IT GRC Programs
> >
> > EDUCAUSE
> > Uncommon Thinking for the Common Good
> > 282 Century Place, Suite 5000, Louisville, CO 80027
> > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna Grama
> > Sent: Tuesday, June 06, 2017 8:31 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Hi Everyone,
> > EDUCAUSE is working to marshal some GDPR resources for IT professionals.  The National Association of College and
> University Attorneys (NACUA) will be presenting a panel presentation
> on GDPR at the EDUCAUSE Annual Conference this fall. In addition, our
> policy director, Jarret Cummings, is working with another organization
> to source some blogs and other online content about GDPR.  As
> materials are published, I will be sure to send an alert to this list.
> > Kind regards,
> > Joanna
> >
> >
> > Joanna Grama, JD, CISSP, CRISC, CIPT
> > Director of Cybersecurity and IT GRC Programs
> >
> > EDUCAUSE
> > Uncommon Thinking for the Common Good
> > 282 Century Place, Suite 5000, Louisville, CO 80027
> > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon
> > Sent: Monday, June 5, 2017 1:12 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Laura,
> >
> > No plans (solid/documented/complete) I'm aware of yet, but our compliance audit manager is fairly concerned about 
> > its
> potential impact and we are gathering opinions and researching the
> topic.  Her sense is we will need to take steps to comply.  Not being
> a legal expert myself I'm always in jurisdictional quandaries about
> regulations from other nations and in other states (remember
> California's privacy rules?) and how those could have tangible impact,
> but so far people closer to this issue than I believe it to be real. 
> Since CU is very heavily reaching out to international students we may
> have this problem to a greater degree than others.
> > Sorry nothing specific to report other than it does pay to pay attention here.  I suggest taking this to compliance 
> > and
> legal folks for interpretation as they will (or should) have a more
> sound understanding of the implications.  My impression is that if we
> advertise and register students in GDPR nations we are definitely
> accountable for any actions there, and that given the typical Internet
> jurisdictional concerns, we probably are here as well.  I don't have a
> handle on what that means from an operational standpoint yet but it
> looks a bit onerous to me at the moment.  Yet another set of demands
> to add to your favorite cross-walk.
> > Might be a good question for the privacy/policy forums if you don't mind cross-posting a bit.
> >
> > Best regards,
> >
> > Jim Dillon
> >
> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon
> > Director of IT Audit Services, CU Internal Audit
> > 303-735-7028
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura Raderman
> > Sent: Monday, June 05, 2017 10:48 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Is there any institution that’s worried about or otherwise doing anything about the GDPR and getting ready for the 
> > May
> 2018 “deadline”?  If so, would you be willing to give me a quick
> overview of what you’re including in your plans?
> > Thanks,
> > Laura
> >
> > Laura Raderman
> > ISO Policy & Compliance Coordinator
> > Carnegie Mellon University
> > lraderman () cmu edu <mailto:lraderman () cmu edu>
>  
> --
> - Ken
> =================================================================
> Ken Connelly                       Director, Information Security
> Information Security Officer          University of Northern Iowa
> email: Ken.Connelly () uni edu <mailto:Ken.Connelly () uni edu>   p: (319)
> 273-5850 f: (319) 273-7373
>  
> Any request to divulge your UNI password via e-mail is fraudulent!
>  
> ------------------------------
>  
> Date:    Mon, 21 Aug 2017 15:51:05 -0500
> From:    Ken Connelly <ken.connelly () UNI EDU <mailto:ken.connelly () UNI EDU>>
> Subject: Re: EU's GDPR - is anyone worrying/doing anything?
>  
> Yeah, I'm a consumer on this one, not a provider...
>  
> - ken
>  
> On 8/21/17 3:31 PM, Joanna Grama wrote:
> > Absolutely, Ken.
> >
> > The call for proposals for the Security Professionals Conference will open in two short weeks.  If your
> institution has been looking into GDPR and has implemented a GDPR plan
> or process, your colleagues would LOVE it if you would share your
> knowledge at the conference.
> > Information about how to submit a proposal will be posted to this list when the call for proposals opens.
> >
> > Thanks,
> > Joanna
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
> > Sent: Monday, August 21, 2017 3:09 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> >
> > Joanna -
> >
> > Seems as though this would be a worthwhile topic for Security Professionals Conference as well, although next April 
> > is
> clearly too late to begin planning for this.
> > - ken
> >
> > On 8/21/17 12:56 PM, Joanna Grama wrote:
> > > Hello everyone,
> > > I promised to update you all as GDPR materials are published.  Please
> > > note that a Security Matters blog on GDPR was published last week.
> > > You can find that blog here:  
> > > http://er.educause.edu/blogs/2017/8/gdpr-a-data-regulation-to-watch
> > >
> > > For those of you attending the EDUCAUSE Annual Conference, you can
> > > find information on the GDPR session here:
> > > https://events.educause.edu/annual-conference/2017/agenda/the-new-eu-
> > > g eneral-data-protection-regulations-what-it-specialists-need-to-know
> > > (Session information is in the process of being uploaded; but the
> > > date/time information is correct.)
> > >
> > > Kind regards,
> > > Joanna
> > >
> > >
> > > Joanna Grama, JD, CISSP, CRISC, CIPT
> > > Director of Cybersecurity and IT GRC Programs
> > >
> > > EDUCAUSE
> > > Uncommon Thinking for the Common Good
> > > 282 Century Place, Suite 5000, Louisville, CO 80027
> > > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> > >
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna Grama
> > > Sent: Tuesday, June 06, 2017 8:31 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> > >
> > > Hi Everyone,
> > > EDUCAUSE is working to marshal some GDPR resources for IT professionals.  The National Association of College
> and University Attorneys (NACUA) will be presenting a panel
> presentation on GDPR at the EDUCAUSE Annual Conference this fall. In
> addition, our policy director, Jarret Cummings, is working with
> another organization to source some blogs and other online content
> about GDPR.  As materials are published, I will be sure to send an
> alert to this list.
> > > Kind regards,
> > > Joanna
> > >
> > >
> > > Joanna Grama, JD, CISSP, CRISC, CIPT
> > > Director of Cybersecurity and IT GRC Programs
> > >
> > > EDUCAUSE
> > > Uncommon Thinking for the Common Good
> > > 282 Century Place, Suite 5000, Louisville, CO 80027
> > > direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu <mailto:jgrama () educause edu>
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon
> > > Sent: Monday, June 5, 2017 1:12 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > > Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> > >
> > > Laura,
> > >
> > > No plans (solid/documented/complete) I'm aware of yet, but our compliance audit manager is fairly concerned about
> its potential impact and we are gathering opinions and researching the
> topic.  Her sense is we will need to take steps to comply.  Not being
> a legal expert myself I'm always in jurisdictional quandaries about
> regulations from other nations and in other states (remember
> California's privacy rules?) and how those could have tangible impact,
> but so far people closer to this issue than I believe it to be real. 
> Since CU is very heavily reaching out to international students we may
> have this problem to a greater degree than others.
> > > Sorry nothing specific to report other than it does pay to pay attention here.  I suggest taking this to compliance
> and legal folks for interpretation as they will (or should) have a
> more sound understanding of the implications.  My impression is that
> if we advertise and register students in GDPR nations we are
> definitely accountable for any actions there, and that given the
> typical Internet jurisdictional concerns, we probably are here as
> well.  I don't have a handle on what that means from an operational
> standpoint yet but it looks a bit onerous to me at the moment.  Yet
> another set of demands to add to your favorite cross-walk.
> > > Might be a good question for the privacy/policy forums if you don't mind cross-posting a bit.
> > >
> > > Best regards,
> > >
> > > Jim Dillon
> > >
> > > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon
> > > Director of IT Audit Services, CU Internal Audit
> > > 303-735-7028
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura Raderman
> > > Sent: Monday, June 05, 2017 10:48 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> > > Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything?
> > >
> > > Is there any institution that’s worried about or otherwise doing anything about the GDPR and getting ready for the 
> > > May
> 2018 “deadline”?  If so, would you be willing to give me a quick
> overview of what you’re including in your plans?
> > > Thanks,
> > > Laura
> > >
> > > Laura Raderman
> > > ISO Policy & Compliance Coordinator
> > > Carnegie Mellon University
> > > lraderman () cmu edu <mailto:lraderman () cmu edu>
> > --
> > - Ken
> > =================================================================
> > Ken Connelly                       Director, Information Security
> > Information Security Officer          University of Northern Iowa
> > email: Ken.Connelly () uni edu <mailto:Ken.Connelly () uni edu>   p: (319) 273-5850
> f: (319) 273-7373
> > Any request to divulge your UNI password via e-mail is fraudulent!
>  
> --
> - Ken
> =================================================================
> Ken Connelly                       Director, Information Security
> Information Security Officer          University of Northern Iowa
> email: Ken.Connelly () uni edu <mailto:Ken.Connelly () uni edu>   p: (319)
> 273-5850 f: (319) 273-7373
>  
> Any request to divulge your UNI password via e-mail is fraudulent!
>  
> ------------------------------
>  
> End of SECURITY Digest - 18 Aug 2017 to 21 Aug 2017 (#2017-143)
> ***************************************************************
>