Re: GDPR Question

[Jennifer Svensson <0000004edf86483d-dmarc-request () LISTSERV EDUCAUSE EDU>]

Hi All,

Please find attached a recent white paper on GDPR Compliance that my
company, Lookout, recently published. This is not meant to be 'salesy' at
all, just sharing given the relevancy.
Thank you.

Kind Regards,

-- 
Jennifer Svensson
Director, SLED
12700 Sunrise Valley Drive, Suite 310, Reston, VA 20191
  jennifer.svensson () lookout com | 202.215.0915 | www.lookout.com

On Mon, Jan 8, 2018 at 12:33 PM, Brad Judy <  brad.judy () cu edu> wrote:

> I don’t think there’s consensus on some of the statements made in that
> particular webcast. The law is about where subjects reside, so the idea
> that data about a US resident transmitted from the EU to the US would be
> in-scope of this law doesn’t fit with most of the reading/listening I have
> done on the topic.  I personally felt the speaker for that session took a
> hardline compared to the other commentaries I have seen on the topic.
>
>
>
> Brad Judy
>
>
>
> Information Security Officer
>
> Office of Information Security
>
> University of Colorado
> 1800 Grant Street, Suite 300
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
> Denver, CO  80203
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
>
> Office: (303
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>)
> 860-4293
>
> Fax: (303) 860-4302
>
> www.cu.edu
>
>
>
> [image: u-logo_fl]
>
>
>
>
>
>
>
> *From: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> John Denune <  jdenune () UCI EDU>
> *Reply-To: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Monday, January 8, 2018 at 10:23 AM
> *To: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *Re: [SECURITY] GDPR Question
>
>
>
> Brad,
>
>
>
> From the EDUCAUSE/Tambellini Group webinar, one of the scenarios presented
> involved a US faculty member visiting Finland on sabbatical. While in
> Finland, the scenario concluded that:
>
>    - All personal data the faculty member sends back to the home
>    institution falls under GDPR
>    - This includes the personal data of her US PhD students that she may
>    send back to the US
>    - This also may include all personal data she has with her when she
>    returns to the US.
>
>
>
> So, from this webinar GDPR scope seems to be based on the data flow of
> personal information from the EU to somewhere else. It doesn’t seem to
> matter the citizenship or the residency of the subject. At least that was
> my take based on scenarios in the webinar. I also echo that working with
> legal counsel is the way to go to help clarify as there seem to be a lot of
> interpretations out there.
>
>
>
> ---John
>
>
>
> --
>
> John Denune
>
> Security Risk and Compliance Program Manager
>
> Office of Information Technology
>
> University of California, Irvine
>
>   jdenune () uci edu
>
> (949) 824-8301
>
>
>
>
>
> *From: *The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brad Judy <  brad.judy () CU EDU
> >
> *Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Monday, January 8, 2018 at 8:57 AM
> *To: *"  SECURITY () LISTSERV EDUCAUSE EDU" <  SECURITY () LISTSERV EDUCAUSE EDU
> >
> *Subject: *Re: [SECURITY] GDPR Question
>
>
>
> In the case of GDPR, I strongly recommend working with legal counsel about
> how your institution wishes to handle it.  International
> extra-jurisdictional law is an interesting space and while I think there is
> some consistency on the interpretation of the intent of GDPR, it seems like
> different institutions have different views of what that means for them.
>
>
>
> As to Ben’s point about the law not applying to EU citizens residing
> outside the EU (definitely true from my understanding), here’s another way
> to think about it: In order for countries to be sovereign, they aren’t
> subject to the local laws of other countries. So, some part of the equation
> must be within EU borders for the law to apply.  In other situations, the
> focus has been on the data physically residing within borders.  In the case
> of EU GDPR, it doesn’t care where the data resides, only that the human
> subject of the data is within EU borders.  This creates interesting
> discussions about individuals who are temporarily within EU borders
> (visiting for a week, studying/working for a semester, etc.).
>
>
>
> Brad Judy
>
>
>
> Information Security Officer
>
> Office of Information Security
>
> University of Colorado
> 1800 Grant Street, Suite 300
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
> Denver, CO  80203
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
>
> Office: (303
> <https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>)
> 860-4293
>
> Fax: (303) 860-4302
>
> www.cu.edu
>
>
>
> [image: logo_fl]
>
>
>
>
>
>
>
> *From: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
> Ben Marsden <  bmarsden () SMITH EDU>
> *Reply-To: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Monday, January 8, 2018 at 9:18 AM
> *To: *EDUCAUSE Listserv <  SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *Re: [SECURITY] GDPR Question
>
>
>
> expanding a bit (and with the standard IANAL caveat, it is my evolving
> understanding that...),  the regulation also states that EU citizens living
> abroad (ie, outside EU-covered states) are NOT covered by the regulation
> while they remain abroad.  Ie. ex-pats aren't covered, so your faculty
> members who may have EU citizenship but live & work at your US-based
> institution are not covered by GDPR (erm, unless they go visit the homeland
> and then exchange PI covered data while there).
>
>
>
>   yes, ymmv ...
>
>
>
> On Mon, Jan 8, 2018 at 11:09 AM, Brian T. Huntley <  bhuntley () clarkson edu>
> wrote:
>
> Hi Jim -
>
>
>
> Most everything I've seen and council advice we've received would indicate
> that a US student studying abroad would indeed be entitled to protections
> under the GDPR.
>
>
>
> In fact, some have gone so far as to suggest that based on the somewhat
> vague definition in Article 3:  "...data subjects who are in the Union..."
> would include anyone who was physically within the bounds of the EU -
> whether expat, resident, citizen or "just visiting".
>
>
>
> YMMV though, so definitely worth engaging your GC to get their take and
> enable your senior management to make an informed risk decision about the
> whole thing.
>
>
>
> Brian
>
>
>
>
> --
>
> Brian T. Huntley
>
> Director of Network Services and Information Security
>
> Office of Information Technology
>
> Clarkson University
>
> 315.268.6723 <(315)%20268-6723>
>
>
>
> On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <  jpardonek () luc edu> wrote:
>
> Good Morning,
>
>
>
> We have been having some discussions regarding what population’s records
> are subject to GDPR.  The discussion centers around whether or not the
> records of US citizens that study abroad fall under GDPR.  Some say it’s
> only those who are citizens of the EU.  Is there any guidance on this topic?
>
>
>
> Thanks and have a great day.
>
>
>
> Jim
>
>
>
> *James Pardonek, MS, CISSP, CEH*
>
> *Information Security Officer*
>
>
> * Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E+%0D+*+%0D+(**:+(773+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E*&entry=gmail&source=g>60660
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
> *
> * (**: (773
> <https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>)
> 508-6086*
>
>
>
> *Loyola University Chicago will never ask your for your username or
> password.*
>
> *For the lastest information security news at Loyola, please follow us
> online,*
>
> *Twitter: @LUCUISO*
>
> *Facebook: https://www.facebook.com/lucuiso/
> <https://www.facebook.com/lucuiso/>*
>
> *Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>*
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Joanna Grama
> *Sent:* Monday, October 2, 2017 9:16 AM
> *To:*   SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] October 24 GDPR Webinar from Tambellini Group and
> EDUCAUSE
>
>
>
> Good morning,
>
> Many of us continue to struggle with understanding the scope and finer
> points of the EU GDPR and its application to US higher education
> institutions. To that end, EDUCAUSE and the Tambellini Group have been
> working together to share more information on this topic and we are pleased
> to announce an upcoming webinar that you may be interested in.
>
>
>
> The jointly sponsored webinar will be held on Tuesday, October 24, 2017,
> from 1-2pm ET.  You can register for the webinar and read more about the
> webinar content here:  https://marketing.thetambellinigroup.com/acton/
> media/10722/gdpr-and-us-higher-education-institutions-webinar
>
>
>
> As GDPR questions have been coming up on our various EDUCAUSE lists, we
> have been sharing those questions with the Tambellini group so that they
> can be specifically addressed in the upcoming webinar.
>
>
>
> Kind regards,
>
> Joanna
>
>
>
> *(This message has been cross posted on the EDUCAUSE security, privacy,
> and IT GRC discussion listservs.)*
>
>
>
> *Joanna Grama, JD, CISSP, CRISC, CIPT*
> Director of Cybersecurity and IT GRC Programs
>
>
>
> *EDUCAUSE*
> *Uncommon Thinking for the Common Good*
> 282 Century Place, Suite 5000, Louisville, CO 80027
> <https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
> direct: 720.406.6769 <(720)%20406-6769> | cell: 720.507.5983
> <(720)%20507-5983> |   jgrama () educause edu
>
>
>
> *Become a Member**- Everyone at your organization is an EDUCAUSE member
> when you join* | Access discounts, resources, and valuable peer networks | Discover
> membership <https://www.educause.edu/about/discover-membership>
>
>
>
>
>
>
>
>
>
>
>
> --
>
> [}--> BEWARE of links and attachments in email!   *  Stop, Think before
> you click *
>
> ============================================
>
> Ben Marsden : Information Security Director, CISSP
> ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
> ---------------------------------------------------------------------
>
> =--> Any request to reveal your Smith password via email is fraudulent!

Attachment: GDPR-Lookout Whitepaper.pdf
Description: