From: Dr. Frank J. Sirianni, VP/CIO
The General Data Protection Regulation (GDPR) is a comprehensive regulation that gives individuals in the European Union (EU) greater control over how their personal data is collected, stored, used, and protected, as well as destroyed once it is no longer needed. The regulation goes into effect on May 25, 2018 and will impact business at Fordham University.
GDPR applies to an individual’s personal data, defined as any information that can be used, directly or indirectly, to identify a person. This includes educational, financial, employment, and health data, as well as biometric data, IP addresses, and more.
The regulation requires institutions take extra steps to protect the personal data of people in the EU, with no distinction based on an individual’s permanent place of residence or nationality.
Examples where GDPR will have an effect include:
●Fordham students and staff at the London Centre
●Students and staff participating in programs, research, and internships in member states of the EU
●EU residents using our website when applying to Fordham
●Fordham marketing to alumni in the EU
GDPR also covers the personal data stored in Fordham systems and in those managed by third parties.
GDPR compliance requirements overlap, to some degree, with US privacy and data protection regulations, like the Family Educational Rights and Privacy Act (FERPA), yet are more rigorous and deliver higher penalties for non-compliance. It empowers supervisory authorities to assess fines as high as 4% of annual revenue or 20 million euros, whichever is higher, for non-compliance.
At Fordham, the journey towards compliance has already begun. Fordham IT, in conjunction with the Office of Legal Counsel, is working closely with University administrators to help them identify what personal data their function processes, where it is stored, and how it is used. Preparations are being made to accommodate requests by individuals to correct, erase, provide for export, or cease processing their personal data. Record keeping processes demonstrating Fordham’s GDPR compliance are also being created.
The components of the GDPR took years to be drafted and adopted, and it will take some time before interpretation of the regulation’s components are fully understood and integrated into organizational practices at Fordham and elsewhere. To that end, Fordham has created a site, GDPR.fordham.edu to introduce the concepts of GDPR and their impact on the University’s administrative and business functions. It will also keep you up to date on compliance requirements as they evolve.