EU General Data Protection Regulation

The General Data Protection Regulation "GDPR" is a European Union "EU" regulation that governs the processing and movement of EU resident's personal data. The GDPR, which was effective May 2018, replaces the 1995 Data Privacy Directive, and has a broader territorial scope and more significant fines (up to $20 million) for violations than prior EU law. The GDPR applies to entities located outside of the EU that handle personal data about EU residents when offering them services or monitoring their behavior. As the regulation is new, our understanding will continue to evolve over time.

The EU GDPR sets a broad definition for personal information and establishes a variety of requirements regarding the handling of EU residents’ personal information. Note that the law specifically applies to EU residents rather than citizens. It does not apply to EU citizens while they reside in the United States. However, it does apply to United States citizens when they provide data to the University while temporarily located in the EU.

At a high level, GDPR addresses the following requirements:

• Data processing must be lawful, meaning that one of the following apply:
  • Consent for processing was obtained from the individual(s)
  • A legitimate interest exists – details are further defined in the law
  • A contractual relationship exists – data processing is done to meet the obligations of a contract
• Data collected must be adequate, relevant and proportionate
• Data must be retained only as long as necessary and must be secure
• Data transfer restrictions exist outside of the EU
• Notice must be provided to individuals about how data will be processed and used

In addition, data subjects have a number of rights, including the:

• Right to be informed
• Right to Access their data
• Right to correct data
• Right to request deletion of data

Compliance for NKU

A core group, has been evaluating the impact of GDPR at NKU. This group is working closely with campus members that we expect to be most impacted by GDPR. If you would like to discuss the impact of GDPR on your department, email Grant Garber at garberg1@nku.edu for more information.

Questions?

Contact us at garberg1@nku.edu if you have questions or concerns about the GDPR, how it may apply to your unit or inquiries related to personal data that may be collected and processed by Northern Kentucky University.

Resources

• Requests regarding your data can be submitted here.
• Full text of the GDPR is available at https://gdpr-info.eu/
• Addendum to General Data Protection
• GDPR Notice to NKU Travelers to EU

Acknowledgment of the NKU Values & Ethical Responsibilities is now completed during the annual Compliance Refresher training course (for current NKU faculty and staff) and during the completion of the Safe Colleges Workplace Ethics training course for new employees.

For compliance information regarding NKU Procurement Cards (PCARD), click here.

Northern Kentucky University does not discriminate based on national origin, race, color, age, gender, gender identity, gender expression, sexual orientation, religion, political affiliation, physical or mental disability, genetic information, pregnancy, and Uniform Services or veteran status in its educational programs and activities, employment, daily operations and admissions policies, in accordance with all applicable federal, state and local laws and university policies. No retaliation shall be initiated against any person who makes a good faith report of a violation.