The following action plan will help Idaho State University achieve compliance with GDPR. Action items are categorized into four (4) groups and the priority of each action is indicated to systematically reduce risk for the University.
Inform/Plan/Survey (Priority 1)
- Communication to leadership and the University community
- Formation of working group of stakeholders
- Questionnaire of EU data collected and held
- Conduct a review of ISU systems to determine what information is currently held, the purpose of having that information, how information is held and secured, and whether and with whom the data is shared. The questionnaire will be sent to VPs, Deans, and Directors, and will assist in identifying where technological and procedural safeguards may be established to ensure compliance.
Website (Priority 2)
- Create a GDPR website with pertinent information about the law, what data ISU collects, how it is used, how consent is garnered, and how data subjects can opt out
- Draft a privacy notice for data collected from the data subjects and make available as appropriate
Breach Response (Priority 3)
- Incorporate GDPR in Information Technology Security procedures
- Under GDPR breach notification requirements, a review and revision of ITS policies is warranted. The review should consider responsibilities of notification to the data subject and to supervisory authorities in the EU, the circumstances requiring notification under the GDPR, and the documentation requirements surrounding breach investigation and response.
Data Management (Priority 4)
- Review contracts that include the data subjects’ information and amend with a Data Protection Addendum as needed.
- Identify all contracts with entities tasked with collecting and/or processing data from the data subjects. Review the privacy practices and data safeguards of the processor and whether they are likely to be in compliance with the GDPR.
- Review data collected per survey to determine if there are any outlying activities that require consent/opt out to collect information.
- Develop procedures for obtaining consent from data subjects prior to collection of data for processing when consent is required. Determine if processing is essentially optional to the data subject. If processing is necessary for the legitimate interests of ISU, a notice containing a description of the reasons and legitimate interests requiring processing should be given to the data subject before processing occurs. The notice should include the data subject’s right to object to processing the data.
- Develop process for handling requests to access
- GDPR provides the data subject the right to access his/her data upon request. The data controller has the responsibility to verify the identity of the person requesting access and release data only to the data subject directly.
- Develop process for handling requests to correct or delete
- Develop procedure for responding to and executing requests for the monitoring, correction, and deletion of data from the data subject.
- Identify high-risk data and assess opportunities for data minimization.
- Activities surrounding minimization include four (4) areas: current processing, records, retention and destruction, and assessment.
- Determine research requirements for data subjects.
- Work with ISU’s IRB to incorporate GDPR considerations for any studies that include data subjects.
- Determine Division of Health Sciences requirements for data subjects.
- Work with DHS to incorporate GDPR considerations for any work that involves data subjects.
ISU is committed to GDPR compliance, and will continuously monitor the EU regulation, ISU departments, and policies and procedures to stay as current as possible.