Re: GDPR Question - Part 2

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

I'm certainly not a lawyer, but I've been listening to a lot of them over the past several months. It's my 
understanding that yes, the scope is formally defined as any resident of the EU (where 'resident' is anticipated to 
mean 'currently physically present'). But I'm not so sure about the "without distinction" clause.


Practically speaking, while a student on a study-abroad semester or even a university-supported vacation trip might 
fall within scope, that's not going to be the kind of thing that raises a lot of attention from enforcers, compared to 
a more permanent university presence like an ongoing partnership or EU facility or regular student exchange.


Steve


================================
Steven Lovaas
University Information Security Officer
Colorado State University
steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu>
970-297-3707
Mit der Dummheit kämpfen Götter selbst vergebens.
================================


________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Todd Watson 
<todd () USG EDU>
Sent: Thursday, February 8, 2018 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] GDPR Question - Part 2

I agree, Ken.

I think the scope includes all individuals located within physical EU territory. Thus, the regulation applies without 
distinction to residents, visitors, and citizens. It also appears to be in scope for persons outside the EU if their 
data is stored, processed, or maintained within the EU.

Regards,
Todd

----
Dr. W. Todd Watson, Sr., CISSP
Information Security Officer
Board of Regents of the University System of Georgia
Cybersecurity
706-583-2008

On 2/8/18, 5:04 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ken Connelly" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of ken.connelly () UNI EDU> wrote:

    On 2/8/18 3:55 PM, Jim Cheetham wrote:
    > Excerpts from Penn, Blake C's message of February 9, 2018 10:09 am:
    >> From my understanding, GDPR protections apply solely to EU residents,
    >> not citizens – that is, anyone actually in the EU and only while they
    >> are in the EU.
    >
    > Is that a formally-defined "Resident", or anyone who happens to simply
    > be on EU soil as part of a short-term visit or trip?
    >
    > -jim

    My understanding is the latter, e.g., a student on a study abroad visit
    or a professor traveling and doing research.

    --
    - Ken
    =================================================================
    Ken Connelly                       Director, Information Security
    Information Security Officer          University of Northern Iowa
    email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

    Any request to divulge your UNI password via e-mail is fraudulent!