The European Union’s (EU) General Data Protection Regulation (GDPR) provides protection to natural persons (individual human beings) residing within the EU. Specifically, GDPR establishes limits on when and how organizations (no matter where they are located) can collect, store, process, and use personal data of natural persons located in the EU. GDPR also provides individuals with certain rights related to their personal data, including notice or consent, rights of access, and requests for deletion. At its core, GDPR seeks to ensure that personal data is only collected and processed where clear notice has been provided or consent has been obtained. Personal data should only be processed when it is necessary for specified, explicit and legitimate purposes, and should be securely deleted when it is no longer required.
Effective Date
The GDPR went into effect on May 25, 2018.
Key Definitions
Personal Data – Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Requirements for Boise State University
Where Boise State University collects or processes personal data of natural persons who reside in the EU the University must comply with the GDPR. This includes, but is not limited to:
- Providing notice about the collection and use of personal data, or obtaining consent for that collection (depending on the circumstances). Any notice or consent must be concise, transparent, intelligible, and easily accessible, written using clear and plain language. This notice should include the rights of data subjects to receive a copy of their personal data that the University has collected or processed, and the rights to request correction, erasure, or restriction of their personal data. The University will consider such requests under the circumstances presented in accordance with the requirements of Chapter 3, Section 3 of the GDPR.
- Ensuring that appropriate technical and organizational measures are employed to protect personal data, and that by default personal data is only collected when it is necessary for a specific purpose. This is known as data protection by design and default. This includes ensuring that third-parties that Boise State contracts with, to process personal data collected from EU residents, offer guarantees that they will implement similar appropriate technical and organizational measures to protect that data.
- Disclosing any personal data breach to the appropriate EU authorities within 72 hours. Where the breach results in a high risk to the rights and freedoms of a data subject the University must disclose the breach to those data subjects without undue delay.
Penalties for Noncompliance
Violations of the GDPR can result in the imposition of monetary penalties up to the greater of 4% of total worldwide annual turnover or €20,000,000.