Re: Government owned Universities that are covered under GDPR?

["Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>]

That question, to my knowledge, has not been fully determined by the FTC or by the courts, if GDPR is enforceable in 
the US …..  There are some treaties and the GPEN memberships that comes into play, and is currently murky at best…..

However, there are some cases where you absolutely, probably can fall under GDPR in some form of scope….


  1.  If your……..

Wait, I am not a lawyer, or providing you official consultation in this scenario…   :)


  1.  If your Global education department (or any other department) has signed an agreement with an .edu entity from 
the EU that you will abide by ‘all applicable laws’ or specifically ‘GDPR’.
  2.  If your organization has entered into a contract with a vendor that is from the EU or has otherwise put into 
their contract a requirement for GDPR compliance
  3.  If you use a data center that is resident in the EU to store PII on data subjects from the EU.
  4.  If you have an office in the EU (this could, maybe, also mean a recruiter).
  5.  If you have an agreement, ethics code, terms of service/use/*, state requirement/mandate, public international 
code of conduct, that says your organization (or any part of) will abide by all state, national, and international laws.

This is just a sampling for GDPR specific concerns you might need to think about and discuss with your privacy/legal 
teams….  And I would strongly encourage you to talk to someone who has specific Privacy training and experience to 
determine scope for your organization…. Many times General counsel and external counsel teams do not have privacy 
training, and ‘interpret’ things differently.

I would also look at the various state privacy laws that are coming down the road, which many are very similar to GDPR, 
and will require the same kinds of data subject rights and transparency.

-Jonathan

Ps….  Here is the map from IAPP about state privacy laws that I use in my privacy presentations to .edu’s….

https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Map_03_23_2021.pdf


~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT,
OTCP,GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743
jonathan-kimmitt () utulsa edu



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Alexandre Adao
Sent: Thursday, April 1, 2021 7:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Government owned Universities that are covered under GDPR?

Hello everyone,
Any idea of government owned (state) universities in the US are covered under GDPR?

Thanks,

-- Alex Adao
=============================================
Alexandre Magno Adão
Director of Information Security Systems
Morgan State University (CGW 300k)
Division of Information Technology (DIT)
443-885-4415 Office
443-803-3154 Cell


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cbaae5c660ada4d187a3908d8f56eae68%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637529203015673392%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Dh4M7wKn5qAoJJLjHEQ3rYH35rrojJlX0jb%2F2n9OtFM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community