Educause Security Discussion mailing list archives
Re: EU's GDPR - is anyone worrying/doing anything?
From: Joanna Grama <jgrama () EDUCAUSE EDU>
Date: Mon, 3 Jul 2017 13:44:30 +0000
Hi Lee, I would recommend that you check in with your general counsel office to discuss this question. I was at the National Association of College and University Attorneys (NACUA) meeting last week, and my impression from attending sessions is that yes, GDPR would apply in the scenario you describe. Of course, your general counsel office is in the best position to judge what applies and how, and the level of risk for noncompliance for your institution. We are still working on publishing materials as indicated in my note from early June. I will send a note to this list as resources are published. Kind regards, Joanna Joanna Grama, JD, CISSP, CRISC, CIPT Director of Cybersecurity and IT GRC Programs EDUCAUSE Uncommon Thinking for the Common Good 282 Century Place, Suite 5000, Louisville, CO 80027 direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Lee Ostrowski Sent: Friday, June 30, 2017 5:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything? Hi Joanna, Has it been determined the extent that GDPR will apply to universities which provide services to EU citizens while those citizens are in the US? I haven't seen a definitive answer to this question. I did attend an RSM GDPR seminar where they said that GDPR applies globally, even when the EU citizen is in a non-EU country. The example they used was a EU citizen checking into a hotel in Boston. The other key question this raises, is the jurisdiction of the EU in America to police compliance. Regards, Lee Ostrowski, CISSP Chief Information Security Officer Director of Infrastructure Services Office of Information Technology STETSON UNIVERSITY 421 N. Woodland Blvd, Unit 8368| DeLand, FL 32723 Phone: 386.822.7117 | Email: lostrowski () stetson edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna Grama Sent: Tuesday, June 06, 2017 8:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything? Hi Everyone, EDUCAUSE is working to marshal some GDPR resources for IT professionals. The National Association of College and University Attorneys (NACUA) will be presenting a panel presentation on GDPR at the EDUCAUSE Annual Conference this fall. In addition, our policy director, Jarret Cummings, is working with another organization to source some blogs and other online content about GDPR. As materials are published, I will be sure to send an alert to this list. Kind regards, Joanna Joanna Grama, JD, CISSP, CRISC, CIPT Director of Cybersecurity and IT GRC Programs EDUCAUSE Uncommon Thinking for the Common Good 282 Century Place, Suite 5000, Louisville, CO 80027 direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Dillon Sent: Monday, June 5, 2017 1:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] EU's GDPR - is anyone worrying/doing anything? Laura, No plans (solid/documented/complete) I'm aware of yet, but our compliance audit manager is fairly concerned about its potential impact and we are gathering opinions and researching the topic. Her sense is we will need to take steps to comply. Not being a legal expert myself I'm always in jurisdictional quandaries about regulations from other nations and in other states (remember California's privacy rules?) and how those could have tangible impact, but so far people closer to this issue than I believe it to be real. Since CU is very heavily reaching out to international students we may have this problem to a greater degree than others. Sorry nothing specific to report other than it does pay to pay attention here. I suggest taking this to compliance and legal folks for interpretation as they will (or should) have a more sound understanding of the implications. My impression is that if we advertise and register students in GDPR nations we are definitely accountable for any actions there, and that given the typical Internet jurisdictional concerns, we probably are here as well. I don't have a handle on what that means from an operational standpoint yet but it looks a bit onerous to me at the moment. Yet another set of demands to add to your favorite cross-walk. Might be a good question for the privacy/policy forums if you don't mind cross-posting a bit. Best regards, Jim Dillon _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Jim Dillon Director of IT Audit Services, CU Internal Audit 303-735-7028 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Laura Raderman Sent: Monday, June 05, 2017 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] EU's GDPR - is anyone worrying/doing anything? Is there any institution that’s worried about or otherwise doing anything about the GDPR and getting ready for the May 2018 “deadline”? If so, would you be willing to give me a quick overview of what you’re including in your plans? Thanks, Laura Laura Raderman ISO Policy & Compliance Coordinator Carnegie Mellon University lraderman () cmu edu
Current thread:
- Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Jul 03)
- <Possible follow-ups>
- Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Ken Connelly (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Joanna Grama (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Ken Connelly (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Ken Connelly (Aug 21)
- Re: EU's GDPR - is anyone worrying/doing anything? Conlee, Keith (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? Chris Garriss (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? Valerie Vogel (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? David Stack (Aug 30)
- Re: EU's GDPR - is anyone worrying/doing anything? Penn, Blake C (Aug 30)