Questions and Answers from the 7/26/18 GDPR Open Forum

These questions were asked by attendees at the July 26, 2018 General Data Protection Regulation (GDPR) Open Forum and answered by Sol Bermann, university privacy officer and interim chief information security officer, and David Grimm, associate general counsel.

The presentation covered some history, why and when GDPR might apply for U-M, U-M's approach to GDPR, and more.

Can you talk more about how the GDPR will be enforced?

We don't know. Think, by way of analogy, of HIPAA. It wasn't enforced for a dozen years after it passed or so. We don't know when GDPR will be enforced, although the EU is more inclined toward enforcement now than in the past.

Will the updated privacy notice and cookie consent code be made avail to U-M units?

Yes, we are putting together a GDPR toolkit that will cover this.

What about advertising, especially for student recruitment? Is that affected by GDPR?

It's on the list of things to address, but not high on the list. Higher on the list are things like research studies coming in from the EU and direct recruitment of students from the EU.

Can you talk about what in our processes would need to change to be compliant?

The GDPR requires you to have a lawful basis for processing the data. There are a number of lawful bases, so it really depends on the use case of the data.

If we have Google analytics, is it Google's responsibility to ensure privacy under the GDPR or ours?

If we are keeping the data, that is, if we are the controller of the data, it is our responsibility.

Is the right to erasure of personal information absolute?

No, it is not absolute. For example, it is highly unlikely a student could ask to erase their academic record. In addition, U.S. law may butt up against the GDPR. U.S. law may require you to keep some data that someone asks to have erased under the GDPR. Similarly, you need to track something for contractual reasons that someone asks to have erased. These conflicts will need to be worked out over time, and you would need to explain your reasons for not complying.

What about if you are conducting a long-term longitudinal study, collecting data across U.S., and some of the people move to the EU. The data could include sensitive mental health data? Would GDPR apply?

Probably. A lot of what we already have in place for consent for research with IRBs and sensitive human subjects addresses situations like this. We have recently made some tweaks to our IRB consent language to cover a scenario where data is collected in the EU.

You said that GDPR could come into play for students studying abroad. When does that come into play?

It is likely to apply to the information that is collected about them while in the EU and then shared back to the U.S.

How quickly should we move to incorporate consent for study abroad?

We shouldn’t assume that consent is always the best lawful basis for processing or collecting data. We have a small project team that is working through the processes identified so far with the working group, and this is one of them.

You said you sent surveys. Are UM-Flint and UM-Dearborn involved?

Not yet. We are still in the project phase, taking a risk-based approach and working first on the biggest data flows. We will get to Flint and Dearborn. If you are aware of significant data flows on those campuses, please contact us ([email protected]). It may be six months to a year before we get to some units.

What about employment relationship for HR, such as benefits for people living in the EU?

One of primary questions is where the person is located. If they are in the EU, we need to think about a basis for processing their data. U-M does not have branch campuses or institutes in the EU, which makes things simpler.

What if you ask someone if they are not a citizen of the U.S., and they tell you their country of citizenship? Is it okay to store that?

You need a lawful basis to collect or process the data if they are in the EU.

Does it apply if the person's data is collected here and they later move to the EU?

If the data is collected on U.S. soil, the GDPR does not apply at the time of collection.

Does individual citizenship matter for the GDPR?

No. That's one of the interesting aspects of this.

Say we get to the point where fines are being levied. How would we manage that? At the unit level? Centrally?

That is forecasting way in the future, and has yet to be determined.

Can we expect guidance from the EU on interpreting GDPR?

Yes. There are working groups and data protection authorities that will provide this sort of guidance over time.

For web-based data, does it matter where the servers are located? That is, for example, if the servers in the U.S., but the people are in the EU.

What matters is where the individual is located when the data is collected.

What if we are using a service?

If the entity providing the service is established in the EU, GDPR always applies. It's complex.

California recently passed its own privacy law. How do all these laws start affecting recruitment in addition to GDPR?

The idea of 50 different states with 50 different laws on privacy would be difficult to manage. We hope someone steps up at the federal level so we know what to do. There may be some federal laws for privacy at a level states can agree to, but it's not clear where things are going.