General Information about the Law:
- Is the primary law regulating how the personal data of individuals within the European Union (EU) is protected, and affects organizations worldwide, including Idaho State University.
- Mandates a baseline set of standards for organizations that handle certain personal and other data of Data Subjects located in the EU to better safeguard the processing and movement of that data.
- Applies to institutions with no physical EU presence who controls or processes covered information (irrespective of whether the Data Subject is an EU citizen).
In general, the GDPR covers the collection, processing, management, storage, use, and retention of personal data for University functions or activities that: 1) take place in the EU; 2) offer goods or services to individuals located in the EU; or 3) involve the control or processing of data relating to individuals in the EU, such as tracking the individual online.
Although the GDPR is not a US law, it may apply to a number of Idaho State University's activities that involve information about Data Subjects located in Europe regardless of whether they are citizens or permanent residents of an EU country. This includes:
- Notice: ISU must provide Data Subjects notice on what personal data is being processed and the purpose for the processing (Article 12)
- Consent: ISU must get clear consent from Data Subjects for the use of data (Article 7)
- Data Minimization: ISU must only use personal data that is relevant and limit such use to that which is necessary in relation to the purpose the data is being processed (Articles 5 and 25)
- Right to Access: ISU as a controller, must confirm, provide access to, and a copy of data to the Data Subject free of charge (Article 15)
- Right to Rectify: ISU must give Data Subjects the right to have personal data rectified if inaccurate or incomplete (Article 16)
- Right to be Forgotten: ISU must give Data Subjects the right to erase data and request the data not be disseminated in certain circumstances (Article 17)
- Data Portability: ISU must give Data Subjects the right to obtain data in commonly used and machine readable format, and the right to transmit that data to another data controller (Article 20)
- Data Protection Officer: ISU may need to appoint a Data Protection Officer to be accountable for compliance with the GDPR (Articles 37 and 38)
- Privacy by Design: ISU must protect data at all stages and throughout its systems (Article 25)
- Breach Notification: ISU must provide notification to Data Subjects within seventy-two (72) hours if there is a data breach (Articles 33 and 34)
“Personal data” in the context of GDPR means any information relating to an identified or identifiable person. An “identifiable person” is one who can be identified, directly or indirectly, through an identifier such as a name, an identification number, location data, or an online identifier. The GDPR defines personal data very broadly such that the term includes names, addresses, phone numbers, national IDs, IP addresses, profile pictures, personal healthcare data, educational data, and any other data that can be used to identify an individual.
If ISU is not compliant with the GDPR in processing personal data without a legal basis or by violating a data subject’s rights, the penalty is 20 million euros or up to four percent (4%) of annual revenue, whichever is higher. If ISU fails to notify data subjects of a data breach, fails to have a representative in the EU if required, or fails to maintain written records, the penalty is 10 million euros or up to two percent (2%) of annual revenue, whichever is higher.