Educause Security Discussion mailing list archives

Re: GDPR Question

From: Ben Marsden <bmarsden () SMITH EDU>
Date: Mon, 8 Jan 2018 15:23:00 -0500

How much of the DPD (GDPR's predecessor) case law can be applied to the
GDPR?  David ( and Brad / others) suggests "consulting with a lawyer who
has a demonstrable track-record"  which is fine, except for the part where
I don't think anyone can have a track record or real sense of the
operational risk -- or which bits of data are covered in outlier scenarios
-- until some of this starts getting actively litigated.

(Side wish, would be nice if I had any on-staff legal counsel to talk with
about such things.  And please, Lord, don't let me be the precedent-setting
case law!) <knock-on-wood>

-- Ben

On Mon, Jan 8, 2018 at 12:40 PM, David Sheryn <dsheryn () london edu> wrote:

Hi John,



As per my previous email (which seems to have gone MIA), the terms
“resident” or “citizen” don’t appear in the GDPR.



Roughly, if a “Data Controller” is based in the EU, then all personal data
that they process is subject to GDPR, regardless of where they process it
or where it comes from/how they got it in the first place.  “Personal Data”
created in the EU (likely to occur if a data subject is present in the EU
for some reason) will be subject to GDPR, and relevant controls if you try
to export it out of the EU.   Probably.



But consulting a lawyer who has a demonstrable track-record about this
stuff will be important: there’s a lot of FUD being circulated, even over
here, including from people who should know better.



Regards



*-- *

*David Sheryn | Information Security Specialist | Information Technology.*
London Business School | Regent's Park | London NW1 4SA | United Kingdom.
Switchboard +44 (0)20 7000 7000 <+44%2020%207000%207000> | Office:
SO.W4.01

www.london.edu | London experience. World impact.

A Graduate School of the University of London



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *John Denune
*Sent:* 08 January 2018 17:23
*To:* SECURITY () LISTSERV EDUCAUSE EDU

*Subject:* Re: [SECURITY] GDPR Question



Brad,



From the EDUCAUSE/Tambellini Group webinar, one of the scenarios presented
involved a US faculty member visiting Finland on sabbatical. While in
Finland, the scenario concluded that:

   - All personal data the faculty member sends back to the home
   institution falls under GDPR
   - This includes the personal data of her US PhD students that she may
   send back to the US
   - This also may include all personal data she has with her when she
   returns to the US.



So, from this webinar GDPR scope seems to be based on the data flow of
personal information from the EU to somewhere else. It doesn’t seem to
matter the citizenship or the residency of the subject. At least that was
my take based on scenarios in the webinar. I also echo that working with
legal counsel is the way to go to help clarify as there seem to be a lot of
interpretations out there.



---John



--

John Denune

Security Risk and Compliance Program Manager

Office of Information Technology

University of California, Irvine

jdenune () uci edu

(949) 824-8301





*From: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Brad Judy <brad.judy () CU EDU>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Monday, January 8, 2018 at 8:57 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] GDPR Question



In the case of GDPR, I strongly recommend working with legal counsel about
how your institution wishes to handle it.  International
extra-jurisdictional law is an interesting space and while I think there is
some consistency on the interpretation of the intent of GDPR, it seems like
different institutions have different views of what that means for them.



As to Ben’s point about the law not applying to EU citizens residing
outside the EU (definitely true from my understanding), here’s another way
to think about it: In order for countries to be sovereign, they aren’t
subject to the local laws of other countries. So, some part of the equation
must be within EU borders for the law to apply.  In other situations, the
focus has been on the data physically residing within borders.  In the case
of EU GDPR, it doesn’t care where the data resides, only that the human
subject of the data is within EU borders.  This creates interesting
discussions about individuals who are temporarily within EU borders
(visiting for a week, studying/working for a semester, etc.).



Brad Judy



Information Security Officer

Office of Information Security

University of Colorado
1800 Grant Street, Suite 300
<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
Denver, CO  80203
<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>

Office: (303) 860-4293

Fax: (303) 860-4302

www.cu.edu



[image: -logo_fl]







*From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
Ben Marsden <bmarsden () SMITH EDU>
*Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Monday, January 8, 2018 at 9:18 AM
*To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] GDPR Question



expanding a bit (and with the standard IANAL caveat, it is my evolving
understanding that...),  the regulation also states that EU citizens living
abroad (ie, outside EU-covered states) are NOT covered by the regulation
while they remain abroad.  Ie. ex-pats aren't covered, so your faculty
members who may have EU citizenship but live & work at your US-based
institution are not covered by GDPR (erm, unless they go visit the homeland
and then exchange PI covered data while there).



  yes, ymmv ...



On Mon, Jan 8, 2018 at 11:09 AM, Brian T. Huntley <bhuntley () clarkson edu>
wrote:

Hi Jim -



Most everything I've seen and council advice we've received would indicate
that a US student studying abroad would indeed be entitled to protections
under the GDPR.



In fact, some have gone so far as to suggest that based on the somewhat
vague definition in Article 3:  "...data subjects who are in the Union..."
would include anyone who was physically within the bounds of the EU -
whether expat, resident, citizen or "just visiting".



YMMV though, so definitely worth engaging your GC to get their take and
enable your senior management to make an informed risk decision about the
whole thing.



Brian




--

Brian T. Huntley

Director of Network Services and Information Security

Office of Information Technology

Clarkson University

315.268.6723 <(315)%20268-6723>



On Mon, Jan 8, 2018 at 9:50 AM, Pardonek, Jim <jpardonek () luc edu> wrote:

Good Morning,



We have been having some discussions regarding what population’s records
are subject to GDPR.  The discussion centers around whether or not the
records of US citizens that study abroad fall under GDPR.  Some say it’s
only those who are citizens of the EU.  Is there any guidance on this topic?



Thanks and have a great day.



Jim



*James Pardonek, MS, CISSP, CEH*

*Information Security Officer*


* Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL
<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E+%0D+*+%0D+(**:+(773+%3Chttps://maps.google.com/?q%3D1032%2BW.%2BSheridan%2BRoad%2B%257C%2BChicago,%2BIL%25C2%25A0%25C2%25A060660%2B%250D%2B*%2B%250D%2B(**:%2B(773*%26entry%3Dgmail%26source%3Dg%3E*&entry=gmail&source=g>60660
<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>
*
* (**: (773
<https://maps.google.com/?q=1032+W.+Sheridan+Road+%7C+Chicago,+IL%C2%A0%C2%A060660+%0D+*+%0D+(**:+(773*&entry=gmail&source=g>)
508-6086*



*Loyola University Chicago will never ask your for your username or
password.*

*For the lastest information security news at Loyola, please follow us
online,*

*Twitter: @LUCUISO*

*Facebook: https://www.facebook.com/lucuiso/
<https://www.facebook.com/lucuiso/>*

*Our Blog http://blogs.luc.edu/uiso/ <http://blogs.luc.edu/uiso/>*



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Joanna Grama
*Sent:* Monday, October 2, 2017 9:16 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] October 24 GDPR Webinar from Tambellini Group and
EDUCAUSE



Good morning,

Many of us continue to struggle with understanding the scope and finer
points of the EU GDPR and its application to US higher education
institutions. To that end, EDUCAUSE and the Tambellini Group have been
working together to share more information on this topic and we are pleased
to announce an upcoming webinar that you may be interested in.



The jointly sponsored webinar will be held on Tuesday, October 24, 2017,
from 1-2pm ET.  You can register for the webinar and read more about the
webinar content here:  https://marketing.thetambellinigroup.com/acton/
media/10722/gdpr-and-us-higher-education-institutions-webinar



As GDPR questions have been coming up on our various EDUCAUSE lists, we
have been sharing those questions with the Tambellini group so that they
can be specifically addressed in the upcoming webinar.



Kind regards,

Joanna



*(This message has been cross posted on the EDUCAUSE security, privacy,
and IT GRC discussion listservs.)*



*Joanna Grama, JD, CISSP, CRISC, CIPT*
Director of Cybersecurity and IT GRC Programs



*EDUCAUSE*
*Uncommon Thinking for the Common Good*
282 Century Place, Suite 5000, Louisville, CO 80027
<https://maps.google.com/?q=282+Century+Place,+Suite+5000,+Louisville,+CO+80027&entry=gmail&source=g>
direct: 720.406.6769 <(720)%20406-6769> | cell: 720.507.5983
<(720)%20507-5983> | jgrama () educause edu



*Become a Member**- Everyone at your organization is an EDUCAUSE member
when you join* | Access discounts, resources, and valuable peer networks | Discover
membership <https://www.educause.edu/about/discover-membership>











--

[}--> BEWARE of links and attachments in email!   *  Stop, Think before
you click *

============================================

Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------

=--> Any request to reveal your Smith password via email is fraudulent!




-- 
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you
click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!

Current thread:

Re: GDPR Question, (continued)
- Re: GDPR Question Brian T. Huntley (Jan 08)
  - Re: GDPR Question David Sheryn (Jan 08)
  - Re: GDPR Question Ben Marsden (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question John Denune (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question Jennifer Svensson (Jan 08)
    - Re: GDPR Question David Sheryn (Jan 08)
    - Re: GDPR Question Adam Maynard (Jan 08)
    - Re: GDPR Question Brad Judy (Jan 08)
    - Re: GDPR Question Ben Marsden (Jan 08)
- Re: GDPR Question Chris Garriss (Jan 08)
  - Re: GDPR Question Joanna Grama (Jan 08)
    - Re: GDPR Question Adam Menos (Jan 09)