Re: GDPR Question - Part 3

[Brad Judy <brad.judy () CU EDU>]

(setting aside the scope question and broadening it to “what are you doing” since I think the “technically” part is 
relatively small)

Some of my thoughts on steps towards GDPR compliance…(This is a brain dump, not a well edited document, but I think it 
covers the ground. I write things like this partially to benefit the community, but largely to force myself to 
articulate what’s floating around in my head.)  I tried to reference specific articles of the GDPR in places, but I 
didn’t do that everywhere.  Feel free to borrow, steal, remix, etc. for your own internal use.


  *   Get legal guidance and set scope – Have legal counsel document the compliance requirements for your institution – 
use this scope as the basis for remaining items. Return to legal for clarifications when questions arise.  This 
hopefully gives you a high-level view of the scale of the effort.
  *   Decide how to handle change management at your org.  What efforts to make significant changes to business 
processes and policies have been successful in the past?  What did they do right for engagement, communication, 
building support, taking input/feedback, training, etc. This is the difference between “everyone hates/ignores that 
GDPR team” and “that GDPR team understands and respects the impact this has on my business process and workload.”
     *   Lots of things could fall under here: communications plans, business impact analysis, stakeholder management, 
etc.
  *   Gather stakeholder team – focus on business process owners, technology service owners, contracting/grants, 
compliance management staff, etc. (this will be iterative – I hope to pull in 75% of the appropriate people in the 
first pass and expand as needed based on the enumeration steps below)
     *   Define roles and responsibilities for GDPR working group
     *   Educate group on GDPR scope (as defined by legal) and requirements – I’m big on two things for education: read 
the text of the law directly and work with your legal counsel to aid in understanding how it applies to your institution
  *   Develop standards for GDPR items that can apply broadly and can be leveraged by all/many business processes 
(sub-committee tasks)
     *   Define on-going GDPR compliance management roles/responsibilities (maybe new GDPR policy, maybe edits to 
existing privacy policy?)
        *   Will you be assigning someone the role of “data protection officer”? (Art 37-39)
     *   Process for handling of GDPR requirements in contracts (where your institution is being asked/required to be 
GDPR compliant)
     *   Process for ensuring third-parties contracted by your institution to handle in-scope data are meeting 
requirements
     *   Standards for informed consent language/process
     *   Data breach notification processes (Art 33-34) – Update existing procedures/policies
     *   Specific technical controls standards (?) – see section on technical controls below…
  *   Enumerate large-scale business processes that collect information from in-scope individuals (add stakeholders as 
needed)
     *   Admissions, fundraising, hiring, etc.
     *   For the moment, ignoring small scale and ad hoc processes – focus on systemic, primary processes
  *   Enumerate primary data storage areas for in-scope PII (both on-prem and third-party)
     *   Just a few to consider: student system, admissions systems, international student and scholar management 
systems, fundraising systems, CRMs, learning management systems, employment application systems, prospect/recruiting 
systems, transcript processing services, data warehousing, data analytics, etc.
     *   I think it’s an excellent, but challenging, exercise to create and maintain good documentation about “where 
are all of the places where [student, employee, etc.] data is systemically stored/handled?” Note that I say 
“systemically” because it probably isn’t feasible to enumerate “all places” when we have things like individual faculty 
members keeping track of student work/grades on endpoints.
     *   Also a good time to think about things like “hey, have we been forgetting to purge old data according to our 
retention plans?” and “we’ve been collecting ‘favorite color’ from everyone for ten years, but we’ve never used it for 
anything, maybe we should just purge that field.”
  *   Document business need for collected data – this helps with both the “why do you want this?” questions as well as 
setting the stage for determining what data must be kept versus purged if you receive a “right to be forgotten” 
request.  This step might benefit from defined data categories like “admissions data” or “fundraising data” so you 
don’t spend too much time bogged down at the attribute level.  If you have defined data categories for data retention 
or classification standards, these could be useful constructs to reference.
     *   If you can’t come up with any business reason to collect or store a particular piece of information, then 
regulations like GDPR are pushing organizations towards dumping unneeded data.  Have fun with those discussions with 
your local favorite data hoarders (/me glances at the data analytics junkies)
  *   Define processes for data subject rights (Art 12-23) – I’m doing this here rather than in the earlier broad 
process step because I think these discussions are better informed with the inventories of business processes, data 
handling and business needs.
     *   Right to know what data is collected and how it is used (hey, we just worked on that in the steps above – good 
job team!)
     *   Right to rectify – hopefully we all have existing processes for people to request corrections to data
     *   Right to erasure (right to be forgotten) – This is a new thing for most of us and will require a lot of 
discussion. Fortunately, we did some work above to define the business need for different pieces of data. This should 
set the foundation for what data can and cannot be removed upon request. However, it doesn’t help with the technical 
work to figure out how to actually remove data that you deem can be removed.  Expect to get bogged down in this 
discussion forever. ☺
     *   Right to data portability – Another interesting one.  Can you easily export/report on the data you have about 
an individual across potentially many different systems?  Who is responsible for this process and how would a request 
be initiated and handled?
  *   Technical controls
     *   For the most part, I think the technical security controls will not be as major of a change compared to some 
of the business process items above. It mostly focuses on risk assessments and the need for “appropriate measures” 
based on the risk, cost, etc.  (Art 25 and 32)
     *   Decide what, if any, adjustments to institutional security standards you need to make.  Maybe your existing 
standards already address the risk assessment and appropriate controls needs.
  *   The “what did we forget” step – review plans with legal counsel and/or compliance management staff to ensure they 
meet the compliance needs.  Fill gaps and make adjustments as needed.  Re-read the GDPR text to see if you forgot 
things.
  *   You now have a ton of new standards, documents, changes to business processes, etc.  I hope you did a good job on 
that change management process step.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Theresa Rowe <rowe () OAKLAND EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, February 9, 2018 at 6:50 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GDPR Question - Part 3

OK, we are all doing a great job discussing scope, as in who does this apply to.  Trying again, once you have campus 
agreement about who is in scope (the population), what are you doing technically?

Theresa Rowe
Chief Information Officer
Oakland University


On Thu, Feb 8, 2018 at 3:09 PM, Theresa Rowe <rowe () oakland edu<mailto:rowe () oakland edu>> wrote:
Around January 8, there was an interesting discussion about the scope of records covered by GPDR.  At one point, John 
Denune summarized it nicely as:
From the EDUCAUSE/Tambellini Group webinar, one of the scenarios presented involved a US faculty member visiting 
Finland on sabbatical. While in Finland, the scenario concluded that:

  *   All personal data the faculty member sends back to the home institution falls under GDPR
  *   This includes the personal data of her US PhD students that she may send back to the US
  *   This also may include all personal data she has with her when she returns to the US.

So let's say you've determined the scope with your GC.  As an IT professional, what are you doing to comply?
At this point, we are documenting our existing data privacy owners, our security officer, our policies on privacy, and 
reusing existing policy.  Are you finding an big action that requires attention?
Theresa Rowe
Chief Information Officer
Oakland University


On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu<mailto:jpardonek () luc edu>> wrote:
Good Morning,

We have been having some discussions regarding what population’s records are subject to GDPR.  The discussion centers 
around whether or not the records of US citizens that study abroad fall under GDPR.  Some say it’s only those who are 
citizens of the EU.  Is there any guidance on this topic?

Thanks and have a great day.

Jim

James Pardonek, MS, CISSP, CEH
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, 
IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
  
60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>

•: 
(773<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>)
 508-6086

Loyola University Chicago will never ask your for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Joanna Grama
Sent: Monday, October 2, 2017 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] October 24 GDPR Webinar from Tambellini Group and EDUCAUSE

Good morning,
Many of us continue to struggle with understanding the scope and finer points of the EU GDPR and its application to US 
higher education institutions. To that end, EDUCAUSE and the Tambellini Group have been working together to share more 
information on this topic and we are pleased to announce an upcoming webinar that you may be interested in.

The jointly sponsored webinar will be held on Tuesday, October 24, 2017, from 1-2pm ET.  You can register for the 
webinar and read more about the webinar content here:  
https://marketing.thetambellinigroup.com/acton/media/10722/gdpr-and-us-higher-education-institutions-webinar

As GDPR questions have been coming up on our various EDUCAUSE lists, we have been sharing those questions with the 
Tambellini group so that they can be specifically addressed in the upcoming webinar.

Kind regards,
Joanna

(This message has been cross posted on the EDUCAUSE security, privacy, and IT GRC discussion listservs.)

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 
80027<https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>