List 39 Marketing and Media

European Union General Data Protection Regulation

To:       Executive Vice Presidents, Chancellors, Vice Presidents, Vice Chancellors, Vice Provosts, Deans, Directors and Heads of Schools, Divisions, Departments and Offices

From:   Greg Hedrick, Chief Information Security Officer
            Trent Klingerman, Assistant Legal Counsel and Chief Privacy Officer

Date:    January 22, 2018

Re:       European Union General Data Protection Regulation

Beginning May 25, 2018, some of Purdue’s activities will be subject to new, relatively stringent regulations governing the use of personal data.  The European Union’s General Data Protection Regulation (“GDPR”) imposes new requirements on entities that control or process personal data about people in the 28 member countries of the European Union (“EU”).  GDPR’s requirements apply to entities located outside of the EU who control or process the personal data of anyone who is in the EU.  GDPR applies regardless of whether the person whose data is controlled or processed is a citizen or permanent resident of an EU member country.

A small working group is analyzing GDPR’s potential application to university operations. The group is comprised of:

Greg Hedrick, Chief Information Security Officer
Trent Klingerman, Assistant Legal Counsel and Chief Privacy Officer
Diane Beaudoin, Chief Data Officer
Jerry Ross, University Registrar
Peg Fish, Director, Audits
Karen Monkhouse, Director, Information Assurance
Deb Trice, Director of Compliance

The group’s early work has focused on understanding GDPR’s scope and requirements, comparing those requirements to existing university policies and processes, and identifying particular areas to which GDPR is most likely to apply.  For example, one area of current focus is the process of recruitment, admission and enrollment of students from EU member countries.

After we have identified the areas to which GDPR is most likely to apply, our next step is to solicit specific information regarding the manner in which personal data of people in the EU is controlled or processed.  A communication that fully defines the key terms and solicits more specific information regarding data handling practices will be circulated to these areas in the first two weeks of February 2018.  The objectives of the communication are to permit the working group to fully understand the extent to which any given office might be impacted by GDPR and ensure all impacted areas are identified. 

Please feel free to contact any member of the working group with questions about GDPR.