Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GDPR Question

From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 8 Jan 2018 17:33:20 +0000
I don’t think there’s consensus on some of the statements made in that particular webcast. The law is about where 
subjects reside, so the idea that data about a US resident transmitted from the EU to the US would be in-scope of this 
law doesn’t fit with most of the reading/listening I have done on the topic.  I personally felt the speaker for that 
session took a hardline compared to the other commentaries I have seen on the topic.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of John Denune <jdenune () UCI EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 8, 2018 at 10:23 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GDPR Question

Brad,

From the EDUCAUSE/Tambellini Group webinar, one of the scenarios presented involved a US faculty member visiting 
Finland on sabbatical. While in Finland, the scenario concluded that:

  *   All personal data the faculty member sends back to the home institution falls under GDPR
  *   This includes the personal data of her US PhD students that she may send back to the US
  *   This also may include all personal data she has with her when she returns to the US.

So, from this webinar GDPR scope seems to be based on the data flow of personal information from the EU to somewhere 
else. It doesn’t seem to matter the citizenship or the residency of the subject. At least that was my take based on 
scenarios in the webinar. I also echo that working with legal counsel is the way to go to help clarify as there seem to 
be a lot of interpretations out there.

---John

--
John Denune
Security Risk and Compliance Program Manager
Office of Information Technology
University of California, Irvine
jdenune () uci edu<mailto:jdenune () uci edu>
(949) 824-8301


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brad Judy 
<brad.judy () CU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 8, 2018 at 8:57 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GDPR Question

In the case of GDPR, I strongly recommend working with legal counsel about how your institution wishes to handle it.  
International extra-jurisdictional law is an interesting space and while I think there is some consistency on the 
interpretation of the intent of GDPR, it seems like different institutions have different views of what that means for 
them.

As to Ben’s point about the law not applying to EU citizens residing outside the EU (definitely true from my 
understanding), here’s another way to think about it: In order for countries to be sovereign, they aren’t subject to 
the local laws of other countries. So, some part of the equation must be within EU borders for the law to apply.  In 
other situations, the focus has been on the data physically residing within borders.  In the case of EU GDPR, it 
doesn’t care where the data resides, only that the human subject of the data is within EU borders.  This creates 
interesting discussions about individuals who are temporarily within EU borders (visiting for a week, studying/working 
for a semester, etc.).

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ben Marsden <bmarsden () SMITH EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 8, 2018 at 9:18 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GDPR Question

expanding a bit (and with the standard IANAL caveat, it is my evolving understanding that...),  the regulation also 
states that EU citizens living abroad (ie, outside EU-covered states) are NOT covered by the regulation while they 
remain abroad.  Ie. ex-pats aren't covered, so your faculty members who may have EU citizenship but live & work at your 
US-based institution are not covered by GDPR (erm, unless they go visit the homeland and then exchange PI covered data 
while there).

  yes, ymmv ...

On Mon, Jan 8, 2018 at 11:09 AM, Brian T. Huntley <bhuntley () clarkson edu<mailto:bhuntley () clarkson edu>> wrote:
Hi Jim -

Most everything I've seen and council advice we've received would indicate that a US student studying abroad would 
indeed be entitled to protections under the GDPR.

In fact, some have gone so far as to suggest that based on the somewhat vague definition in Article 3:  "...data 
subjects who are in the Union..." would include anyone who was physically within the bounds of the EU - whether expat, 
resident, citizen or "just visiting".

YMMV though, so definitely worth engaging your GC to get their take and enable your senior management to make an 
informed risk decision about the whole thing.

Brian


--
Brian T. Huntley
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
315.268.6723<tel:(315)%20268-6723>

On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu<mailto:jpardonek () luc edu>> wrote:
Good Morning,

We have been having some discussions regarding what population’s records are subject to GDPR.  The discussion centers 
around whether or not the records of US citizens that study abroad fall under GDPR.  Some say it’s only those who are 
citizens of the EU.  Is there any guidance on this topic?

Thanks and have a great day.

Jim

James Pardonek, MS, CISSP, CEH
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, 
IL<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
  
<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E+%0D+*+%0D+(**:+(773+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E*&entry=gmail&source=g>
 
60660<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>

•: 
(773<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>)
 508-6086

Loyola University Chicago will never ask your for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Joanna Grama
Sent: Monday, October 2, 2017 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] October 24 GDPR Webinar from Tambellini Group and EDUCAUSE

Good morning,
Many of us continue to struggle with understanding the scope and finer points of the EU GDPR and its application to US 
higher education institutions. To that end, EDUCAUSE and the Tambellini Group have been working together to share more 
information on this topic and we are pleased to announce an upcoming webinar that you may be interested in.

The jointly sponsored webinar will be held on Tuesday, October 24, 2017, from 1-2pm ET.  You can register for the 
webinar and read more about the webinar content here:  
https://marketing.thetambellinigroup.com/acton/media/10722/gdpr-and-us-higher-education-institutions-webinar

As GDPR questions have been coming up on our various EDUCAUSE lists, we have been sharing those questions with the 
Tambellini group so that they can be specifically addressed in the upcoming webinar.

Kind regards,
Joanna

(This message has been cross posted on the EDUCAUSE security, privacy, and IT GRC discussion listservs.)

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 
80027<https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
direct: 720.406.6769<tel:(720)%20406-6769> | cell: 720.507.5983<tel:(720)%20507-5983> | jgrama () educause 
edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>






--
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!

Previous By Date Next
Previous By Thread Next

Current thread: