INTRODUCTION TO THE GENERAL DATA PROTECTION REGULATION (GDPR)

New Mexico State University (NMSU) is substantially compliant with the requirements of the European Union’s (EU) General Data Protection Regulation (GDPR), which became effective May 25, 2018 and is now being enforced.  GDPR only applies to personal information collected from individuals in the EU and therefore, a very small amount of the information collected by NMSU may be subject to this new regulation.  In addition, the GDPR requirements are very similar and overlap with existing US data privacy regulations such as FERPA, GLBA, FISMA, the Red Flags Rule, etc.

GDPR replaces the former Data Protection Directive 95/46/EC. GDPR was designed to harmonize data privacy laws across Europe, to reshape the way organizations approach data privacy, and strengthen and unify data protection for EU data subjects.

EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the NMSU community who may be residing (permanently or temporarily) in the EU, and EU residents who attend NMSU physically or via Distance Ed.

Since NMSU handles data related to these individuals, the university needs to ensure proper handling and practice best data privacy & security according to these regulatory requirements. GDPR imposes penalties on organizations that fail to comply.  Also, refer to NMSU’s IT Compliance website for more information on how to comply with GDPR and other data privacy regulations such as FERPA, GLBA, etc., which again may overlap in the requirements relating to the protection of sensitive/confidential student, employee and customer entrusted data.  Additionally, refer to NMSU’s Privacy Program’s website for more information regarding privacy standards.

What is GDPR?

The GDPR is focused on the personal data of EU data subjects. Personal data is any information about an identified or identifiable EU data subject and includes name, address, online identifiers (including IP addresses), location data (e.g. GPS coordinates), email address, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, and sexual orientation.

The GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:

  • Access any data that an organization has collected about the individual;
  • Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
  • Correct any errors in personal data collected or processed by an organization;
  • Know how long an organization will store the individual’s personal data; and
  • Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).
  • From an organizational perspective, GDPR requires significant data protection safeguards be implemented and imposes a number of obligations; notable requirements include that the organization:
  • Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
  • Minimize the collection and processing of personal data whenever possible;
  • Protect any personal data that it collects and uses;
  • Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change;
  • Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
  • Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.

GDPR Compliance Steps

1. Information you hold

Document what personal data you hold, where it came from and who you share it with. GDPR applies to anyone involved in processing data for citizens or residents in the EU, regardless of whether the employee/student is located in the EU.

2. Communicating privacy information – Refer to NMSU’s Privacy Program website

Update current student/employee privacy notice and complete updates in time for May 25, 2018 GDPR Implementation.

3. Individuals’ rights

Check procedures to ensure they cover all the rights EU residents and citizens have under GDPR. These include how you edit, electronically transport, securely store, correct, retain and delete their personal data; and in a commonly used format.

4. Subject access requests

Update procedures and protocols for handling requests.

5. Lawful basis for processing personal data

Identify the lawful basis for your processing activity in the GDPR, document it, and update the privacy notice to explain it.

6. Consent

Request consent at initial recruitment and enrollment process for citizens and residents to meet the GDPR standard.

7. Children

Put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity (e.g. Community Music School, SPICE activities, summer camps, etc.)

8. Data breaches

Ensure the appropriate procedures are in place to detect, report, and investigate a personal data breach.

Known or suspected violations should be reported immediately to the CPO by phone at (575) 646-5902, or by email at clobato@nmsu.edu.  The CPO will handle, investigate, document and report to the appropriate authorities within 72 hours.

Resources

For more information contact:

Carlos S. Lobato, CPA
Chief Privacy Officer
575*646*5902