The European Union's General Data Protection Regulation (GDPR) is a privacy law that governs the use of personally identifiable information. Specifically, the GDPR grants certain legal rights to people whose personal data is being collected and processed and imposes legal responsibilities on entities that control or process personal data.
While the GDPR is not a United States law, it may apply to entities within the United States, including institutions of higher education, that process, store, or manage the personal data of residents of the European Union. The law is intended to apply to persons located in Europe regardless of whether they are citizens or permanent residents of a European Union country. While United States privacy laws generally apply to specified industries (e.g., FERPA for education), the GDPR is “comprehensive” and applies regardless of the context in which personal data is processed. Under the GDPR personal data includes basic identifying information (such as name and address), biometric data, IP addresses, sexual orientation, racial or ethnic data, and political opinions.
In general, the GDPR applies to the storage or use of personal data for functions or activities that (1) take place in the EU; (2) involve outreach to EU residents to offer goods or services; or (3) track EU residents online or involve the control or processing of data of EU residents.
WHAT WE ARE DOING IN RESPONSE TO THE GDPR
A working group has been established to evaluate and develop a plan to comply with the GDPR. This group, which consists of representatives from the Office of General Counsel, Risk and Compliance Office, Office of Government and Community Relations, and Information Technology Services, will be working closely with select departments across campus to ensure that we are protecting personal data under the GDPR.
If you have questions about the GDPR or how it may apply to your department or unit, please contact the Jamie Hoag with the Office of Government and Community Relations at jhoag@holycross.edu.