Educause Security Discussion mailing list archives

Re: GDPR Question

From: David Sheryn <dsheryn () LONDON EDU>
Date: Mon, 8 Jan 2018 16:17:20 +0000

Folks,

“Most everything I've seen and council advice we've received would indicate that a US student studying abroad would 
indeed be entitled to protections under the GDPR”

That’s pretty much it: any data about living individuals that is either imported into the EU from elsewhere, or is 
generated about them while they are physically in the EU, is subject to GDPR protection.  The latter point raises 
interesting questions about what you have to do to transfer any generated data back out again, especially to places 
that don’t have an ‘adequacy finding’ in place.

Regards

--
David Sheryn | Information Security Specialist | Information Technology.
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 | Office: SO.W4.01

www.london.edu<http://www.london.edu/> | London experience. World impact.
A Graduate School of the University of London

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian T. 
Huntley
Sent: 08 January 2018 16:10
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] GDPR Question

Hi Jim -

Most everything I've seen and council advice we've received would indicate that a US student studying abroad would 
indeed be entitled to protections under the GDPR.

In fact, some have gone so far as to suggest that based on the somewhat vague definition in Article 3:  "...data 
subjects who are in the Union..." would include anyone who was physically within the bounds of the EU - whether expat, 
resident, citizen or "just visiting".

YMMV though, so definitely worth engaging your GC to get their take and enable your senior management to make an 
informed risk decision about the whole thing.

Brian


--
Brian T. Huntley
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
315.268.6723

On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu<mailto:jpardonek () luc edu>> wrote:
Good Morning,

We have been having some discussions regarding what population’s records are subject to GDPR.  The discussion centers 
around whether or not the records of US citizens that study abroad fall under GDPR.  Some say it’s only those who are 
citizens of the EU.  Is there any guidance on this topic?

Thanks and have a great day.

Jim

James Pardonek, MS, CISSP, CEH
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, 
IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
  
60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>

•: 
(773<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>)
 508-6086

Loyola University Chicago will never ask your for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Joanna Grama
Sent: Monday, October 2, 2017 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] October 24 GDPR Webinar from Tambellini Group and EDUCAUSE

Good morning,
Many of us continue to struggle with understanding the scope and finer points of the EU GDPR and its application to US 
higher education institutions. To that end, EDUCAUSE and the Tambellini Group have been working together to share more 
information on this topic and we are pleased to announce an upcoming webinar that you may be interested in.

The jointly sponsored webinar will be held on Tuesday, October 24, 2017, from 1-2pm ET.  You can register for the 
webinar and read more about the webinar content here:  
https://marketing.thetambellinigroup.com/acton/media/10722/gdpr-and-us-higher-education-institutions-webinar

As GDPR questions have been coming up on our various EDUCAUSE lists, we have been sharing those questions with the 
Tambellini group so that they can be specifically addressed in the upcoming webinar.

Kind regards,
Joanna

(This message has been cross posted on the EDUCAUSE security, privacy, and IT GRC discussion listservs.)

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 
80027<https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>

Current thread:

GDPR Question Pardonek, Jim (Jan 08)
- Re: GDPR Question Joanna Grama (Jan 08)
- Re: GDPR Question Hudson, Edward (Jan 08)
- Re: GDPR Question Brian T. Huntley (Jan 08)
  - Re: GDPR Question David Sheryn (Jan 08)
  - Re: GDPR Question Ben Marsden (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question John Denune (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question Jennifer Svensson (Jan 08)
    - Re: GDPR Question David Sheryn (Jan 08)
    - Re: GDPR Question Adam Maynard (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question Ben Marsden (Jan 08)
- Re: GDPR Question Chris Garriss (Jan 08)

(Thread continues...)