IU GDPR Working Group

The General Data Protection Regulation (GDPR) Working Group is organized to:

• • Determine which units may need to take additional steps to comply with the GDPR; and
  • Provide guidance to those units on how best to comply with the GDPR’s strict data protection rules.

The IU GDPR Working Group is comprised of select staff members from:

• • Chief Privacy Officer - Mark Werling (Chair)
  • Office of the Vice President & General Counsel (OVPGC) - Jeff Goetz
  • University Information Policy Office (UIPO)
  • Office of International Services (OIS)
  • Office of the Vice President for International Affairs (OVPIA)
  • University Compliance
  • University Library
  • University Student Services & Systems (USSS)

Contact: gdpr@iu.edu

The European Union’s General Data Protection Regulation (GDPR) went into effect May 25, 2018. When applicable, this law imposes strict data protection rules on organizations in an effort to protect the privacy of individuals in the EU.

The GDPR may have implications for your unit if your unit collects, processes, or stores (or uses a third party to collect, process, or store) personal data from individuals inthe European Union. The GDPR defines "personal data" very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.

The GDPR concerns the personal data of individuals in the European Economic Area, which includes EU countries as well as Iceland, Norway, and Lichtenstein. So when we say the EU, we mean all of the above countries. 

To what extent is IU subject to the GDPR?

• The GDPR indicates that it applies to organizations based outside of the EU “where the [data] processing activities are related to:
  1. the offering of goods or services, irrespective of whether a payment to the data subject is required, to such data subjects in the [European] Union; or
  2. the monitoring of their behavior as far as their behavior takes place within the [European] Union”
• The GDPR makes clear that the mere fact that an organization’s website is accessible in the EU and can collect personal data from EU residents does not mean that the organization must comply with the GDPR.
• To be subject to the GDPR, the organization must show an intention to offer goods or services specifically to EU residents, such as by mentioning customers in the EU on its website, selling goods in Euros, or providing content in an EU-specific language.
• The GDPR will impact certain IU activities where we are targeting individuals in the EU or monitoring their behavior (e.g., where an IU research project involves collecting personal data from EU residents); however, at least until we understand more clearly how the GDPR will be applied to organizations outside the EU, we are taking the position that most IU activities are not within the scope of the GDPR.
• We do not treat the data of EU citizens enrolling at IU as subject to the GDPR because IU will be providing those students with services almost exclusively in the US. Such data will instead be subject to US data protection laws.

What are examples of some IU activities which might be within the scope of the GDPR?

• Undergraduate and graduate recruitment targeted towards EU residents
• Research involving the collection of personal data from EU residents
• Dual or joint degree programs with European institutions
• The use of CRM products to target or track EU residents

Unsure if your processing activity is in scope?

The GDPR imposes significant new requirements on organizations (even those operating solely outside of the EU) that collect, process, or store personal data of individuals present in the EU, whether or not EU citizens or residents. For example, the GDPR generally requires that organizations allow individuals access to their personal data and keep detailed records of how such personal data is processed. In the event of a GDPR violation, the Regulation gives EU authorities the ability to levy steep fines. Please note that the GDPR will most likely not apply to data of EU citizens collected while they reside in the United States.  For more information, please see this detailed article.

The following documents are merely template drafts and are not a one-size-fits-all GDPR compliance solution. Each use-case may require significant customization (or completely alternative language). Please be sure to consult with the IU GDPR Working Group prior to implementing these.

• Privacy Notice Generator 

• Data protection information notice template (draft): 
  • To be provided to data subjects at the time of (or prior to) data collection (when a web-based privacy notice is not applicable).
• Consent declaration template (draft)
• Data transfer agreement template with standard (model) contractual clauses (draft):
  • Data transfer agreements may need to be incorporated into data purchasing / licensing / service agreements.
  • This particular template is only applicable to transfers of data from an EU data controller to IU (when IU is also acting as a data controller). A different template may need to be implemented for situations in which IU is acting as a data processor, or when IU is transferring EU personal data to a third party.

• EU GDPR text
• EDUCAUSE
• Slides: GDPR Basics
• IU Policy ISPP-24: "Web Site, Web Applicaton, and Web Services Privacy Notices"
• GDPR Portal | FAQs
• EU Commission:
  • Data Protection
  • Data Protection Authorities (DPAs) (for each EU Member State)

1. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. The word "in" is used broadly in this instance. The GDPR applies to the personal data of data subjects regardless of whether they are citizens or residents of the EU. (See Chapter 1, Article 3 of the GDPR for more information on "Territorial Scope".)
3. Non-compliance may be subject to administrative fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.