- Chancellor’s Office
- Board of Trustees
- Faculty & Staff
- Join Our Network
- UMS Data Book
- System Office
- System Directory
European Union’s General Data Protection Regulation (GDPR)
Applicability of the GDPR to University of Maine System Activities
GDPR applies to the UMS whenever we seek to use personal data in connection with offering goods and services to people that provided us the data while they are located in the EU. This could involve enrollment of international students at a UMS campus who apply while in the EU, whether directly through UMS websites or through recruiters engaged by UMS that are located in the EU.
This resource will serve to inform the University community on how to interpret and achieve compliance under GDPR. This page includes the following sections:
UMS GDPR Action Plan
The following set of actions will help the University achieve compliance with GDPR. Actions are categorized into (5) groups and the priority of each action is indicated to systematically reduce risk for the University.
Inform/Plan/Survey (Priority 1)
- Communication to leadership and the University community
- Formation of working groups of stakeholders
- Survey of EU data collected and held
- Conduct a review of UMS systems to determine what information is currently held of EU residents, the purpose of our having that data, the original source of that data (with consent of the subject or under contract), how information is held and secured, and whether and with whom the data was shared. The survey should include groups likely to have contact with EU citizen data such as International Programs, IT, Admissions, Alumni Relations, Development, HR, and Research. The survey should work to identify what data each group houses and focus on the points of control where technological and procedural safeguards may be established to ensure compliance.
Privacy Notices (Priority 2)
- Update privacy notices for data collected from those residing in EU and make available as appropriate
- Privacy policies must be in clear and easily understood (with language that does not include legalese) and should be presented on websites that seek to collect information from EU citizens. Consent/privacy notices are to include the purpose of collecting the data as well as a description of what data is to be collected. Consent management should be considered when developing privacy notices.
Breach Response (Priority 3)
- Incorporate GDPR in Information Security Incident Response Process Documentation
- Under GDPR breach notification requirements, a review and revision of information security procedures will be warranted. The review should consider responsibilities of notification to the data subject and to supervisory authorities in the EU, the circumstances requiring notification under the GDPR, and the documentation requirements surrounding breach investigation and response. Further review of information security measures currently employed for effectiveness of risk management and appropriateness of protections in relation to the categories of data will also be required.
Data Management (Priority 4)
- Review contracts that include EU residents’ information and amend as needed.
- Identify all contracts with entities tasked with processing data from EU citizens. Review the privacy practices and data safeguards of the processor and whether they are likely to be in compliance with the GDPR.
- Review data collected per survey to determine if there are any outlying activities that require consent to collect information.
- Develop procedures for obtaining consent from EU citizens prior to collection of data from them – when consent is required. Consent should be sought for processing only where the processing is essentially optional to the data subject. If processing is necessary for the legitimate interests of UMS, a notice containing a description of the reasons and legitimate interests causing processing to be necessary should be given to inform the subject that processing is to occur. The notice should include that the data subject retains their right to object to any processing of their data.
- Develop process for handling requests to access data.
- GDPR provides a right to access all data of a subject upon request of the subject. Prior to release of any such data, the controller has the responsibility to verify the identity of the person requesting access and release data only to the data subject directly. This may be accomplished through confirmation of information requested in the original consent under which the data was collected.
- Develop process for handling requests to correct or delete data.
- Develop procedures for responding and executing requests for responding to and executing requests for the monitoring and correction of data from the data subject.
- Identify high-risk data and assess opportunities for data minimization.
- Activities regarding minimization consist of for areas: current processing, records, retention and destruction, and assessment.
Other (Priority 5)
- Determine research requirements for subjects that may be EU residents.
- Work with campus IRB units to incorporate GDPR considerations for any research that involves EU residents. Consider developing procedures surrounding such activities.
- Data Subject – Residents of the EU whose personal data is being obtained and/or processed.
- Data Controller – The original recipient of the data subject’s personal data. Has the power and responsibility to direct how the data is to be held and used.
- Data Processor – Any entity that processes EU citizen data on behalf of the data controller. Data controller and processor may be the same entity.
- EU – 28 countries currently make up the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom (the UK has voted to leave the EU but is currently still a member).
- Processing – Any use of data for any purpose.
- Personal Data – Any data of a data subject that may be used to personally identify the subject. Includes electronic identifiers such as IP addresses, device ID/MAC addresses, etc.
- Sensitive Personal Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of sensitive personal data may not occur without explicit informed consent of the data subject.
- Data Protection Officer – An employee or contractor of the data controller responsible for monitoring compliance with GDPR, advising on processing activities and data protection practices, and serving as the contact for supervisory authorities and the public regarding data protection.
- Data Controller/Processor Representative – A person in the EU designated as the representative of the controller and/or processor in the EU State where the data subject is to ensure compliance with the GDPR. If the processing is occasional and does not represent a significant risk to the rights and freedoms of the data subject, the controller/processor is a public authority, or the controller/processor employs less than 250 persons. What amounts to occasional processing is unknown at this time and is unlikely to be known until the GDPR comes into effect.