Re: GDPR Question - Part 2

[Ken Connelly <ken.connelly () UNI EDU>]

Correct.  I believe it applies to US (and EU) citizens while they are in
the EU.  And it doesn't apply to EU citizens while they are in the US
and interacting with US institutions.  Of course, whether any of it
applies to US institutions in the US at all is TBD based on future court
rulings.

- ken

On 2/8/18 3:09 PM, Penn, Blake C wrote:
> From my understanding, GDPR protections apply solely to EU residents,
> not citizens – that is, anyone actually in the EU and only while they
> are in the EU.
>
>  
>
> Regards,
>
>  
>
> Blake Penn
>
> Information Security Policy and Compliance Manager
>
> Cyber Security
>
> Georgia Institute of Technology
>
> (404) 385-5480
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Hart, Michael
> *Sent:* Thursday, February 8, 2018 15:57
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] GDPR Question - Part 2
>
>  
>
> I was under the impression that the GDPR protections applied to EU
> citizens while they are in the EU.  Regardless of where our systems
> and data are residing, the citizenship and location of the individual
> is what we were told to focus on. 
>
>  
>
> I find it daunting to sort through the various directions different
> interpretations take us.  I am working with our GC and shared
> governance groups to get a campus interpretation we can work with.  I
> think we’ll be trying to provide this GDPR treatment to all data, as I
> think it’s easier than trying to cherry pick whose data was relevant
> during which time period. 
>
>  
>
> The good news is this is getting attention from our GC office, and
> they’re really starting to focus on records retention and data
> governance overall, not just specific compliance issues.  I’m
> astounded by the number of departments that haven’t heard of GDPR. 
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Theresa Rowe
> *Sent:* Thursday, February 8, 2018 1:09 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* Re: [SECURITY] GDPR Question - Part 2
>
>  
>
> Around January 8, there was an interesting discussion about the scope
> of records covered by GPDR.  At one point, John Denune summarized it
> nicely as:
>
> From the EDUCAUSE/Tambellini Group webinar, one of the scenarios
> presented involved a US faculty member visiting Finland on sabbatical.
> While in Finland, the scenario concluded that:
>
>   * All personal data the faculty member sends back to the home
>     institution falls under GDPR
>   * This includes the personal data of her US PhD students that she
>     may send back to the US
>   * This also may include all personal data she has with her when she
>     returns to the US.
>
>  
>
> So let's say you've determined the scope with your GC.  As an IT
> professional, what are you doing to comply?
> At this point, we are documenting our existing data privacy owners,
> our security officer, our policies on privacy, and reusing existing
> policy.  Are you finding an big action that requires attention?
>
> Theresa Rowe
>
> Chief Information Officer
> Oakland University
>  
>
>  
>
> On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu
> <mailto:jpardonek () luc edu>> wrote:
>
>     Good Morning,
>
>      
>
>     We have been having some discussions regarding what population’s
>     records are subject to GDPR.  The discussion centers around
>     whether or not the records of US citizens that study abroad fall
>     under GDPR.  Some say it’s only those who are citizens of the EU. 
>     Is there any guidance on this topic?
>
>      
>
>     Thanks and have a great day.
>
>      
>
>     Jim
>
>      
>
>     *James Pardonek, MS, CISSP, CEH*
>
>     *Information Security Officer**
>     Loyola University Chicago 
>     1032 W. Sheridan Road | Chicago, IL
>     
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+%28**:+%28773*&entry=gmail&source=g>
>   60660
>     
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+%28**:+%28773*&entry=gmail&source=g>
>     **
>     (**: (773
>     
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+%28**:+%28773*&entry=gmail&source=g>)
>     508-6086*
>
>      
>
>     *Loyola University Chicago will never ask your for your username
>     or password.*
>
>     *For the lastest information security news at Loyola, please
>     follow us online,*
>
>     *Twitter: @LUCUISO*
>
>     *Facebook: https://www.facebook.com/lucuiso/*
>
>     *Our Blog http://blogs.luc.edu/uiso/*
>
>      
>
>     *From:*The EDUCAUSE Security Constituent Group Listserv
>     [mailto:SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Joanna Grama
>     *Sent:* Monday, October 2, 2017 9:16 AM
>     *To:* SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
>     *Subject:* [SECURITY] October 24 GDPR Webinar from Tambellini
>     Group and EDUCAUSE
>
>      
>
>     Good morning,
>
>     Many of us continue to struggle with understanding the scope and
>     finer points of the EU GDPR and its application to US higher
>     education institutions. To that end, EDUCAUSE and the Tambellini
>     Group have been working together to share more information on this
>     topic and we are pleased to announce an upcoming webinar that you
>     may be interested in.
>
>      
>
>     The jointly sponsored webinar will be held on Tuesday, October 24,
>     2017, from 1-2pm ET.  You can register for the webinar and read
>     more about the webinar content here: 
>     https://marketing.thetambellinigroup.com/acton/media/10722/gdpr-and-us-higher-education-institutions-webinar
>
>      
>
>     As GDPR questions have been coming up on our various EDUCAUSE
>     lists, we have been sharing those questions with the Tambellini
>     group so that they can be specifically addressed in the upcoming
>     webinar.
>
>      
>
>     Kind regards,
>
>     Joanna
>
>      
>
>     /(This message has been cross posted on the EDUCAUSE security,
>     privacy, and IT GRC discussion listservs.)/
>
>      
>
>     *Joanna Grama, JD, CISSP, CRISC, CIPT*
>     Director of Cybersecurity and IT GRC Programs
>
>      
>
>     *EDUCAUSE*
>     /Uncommon Thinking for the Common Good/
>     282 Century Place, Suite 5000, Louisville, CO 80027
>     <https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
>     direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu
>     <mailto:jgrama () educause edu>
>
>      
>
>     *Become a Member*/- Everyone at your organization is an EDUCAUSE
>     member when you join/|//Access discounts, resources, and valuable
>     peer networks |Discover membership
>     <https://www.educause.edu/about/discover-membership>
>
>      
>
>      
>
>  

-- 
- Ken
=================================================================
Ken Connelly                       Director, Information Security
Information Security Officer          University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!