What is GDPR?
The General Data Protection Regulation (“GDPR”) took effect on May 25, 2018 and expands personal privacy rights and strengthens the consent process for residents of European Union member states (EU) as well as non-EU citizens located in an EU member state. GDPR requires baseline safeguards be implemented by organizations that process the Personal Data of individuals residing in a European Union member state. GDPR affects organizations worldwide, including universities, and applies to institutions that process covered personal information even if the organization has no physical presence within the EU.
What does Personal Data mean?
“Personal Data” means information, or data collected, which can identify an individual either directly or indirectly, including but not limited to: location data, student or employee identification number, online identifiers, economic, any data the University may classify as “Sensitive Data" per the Data Classification Policy or a name combined with any of the following identifying information: Biographical information or current living situation; looks, appearance and behavior; workplace data and information about education; private and subjective data; or health, sickness, and genetics.
What does this mean to me?
If you are an EU resident or a non-EU citizen studying abroad in an EU member state, you are afforded the additional protections covered under GDPR, including the “Right to be Forgotten.”
WVU colleges, departments, and programs are encouraged to be more cognizant when collecting Personal Data and ensure that only information that is absolutely necessary to process a request is collected. All employees and students should review the University’s Information Privacy Policy to familiarize themselves with its stipulations.
What initiatives and processes has West Virginia University put in place to meet GDPR requirements?
WVU has new put processes and initiatives in place to meet GDPR requirements which include:
- University-wide adoption of a Privacy Notice;
- Updated Information Privacy Policy;
- Named Lee Lawson as its Data Protection Officer;
- Established mechanism for requesting the “ Right to be Forgotten”/”Right of Erasure” or “Right to Access”;
- Ongoing collection data inventories (data collection and use/purpose of collection);
- Updating of informed consent process, as appropriate; and,
- Ongoing identification of Data Processors who are contracted to conduct services for the University.
What do I need to do for GDPR compliance?
Unless ITS has met with you, you do not need to do anything currently; however, your college/department/program should begin to document any data elements you collect and why you collect them.
If you have additional questions pertaining to GDPR, please contact defendyourdata@mail.wvu.edu.