EU data subjects are individuals physically residing in the EU, irrespective to nationality or permanent place of residence. This includes members of the GW community who may be residing (permanently or temporarily) in the EU, and EU residents who attend GW.
What is GDPR?
The GDPR is focused on the personal data of EU data subjects. Personal data is any information about an identified or identifiable EU data subject and includes name, address, online identifiers (including IP addresses), location data (e.g. GPS coordinates), email address, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life, and sexual orientation.
The GDPR gives EU data subjects significant new rights over how their personal data is collected, processed, and transferred by data controllers and processors. Under GDPR, EU data subjects have the right to, among other things:
- Access any data that an organization has collected about the individual;
- Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
- Correct any errors in personal data collected or processed by an organization;
- Know how long an organization will store the individual’s personal data; and
- Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).
From an organizational perspective, GDPR requires significant data protection safeguards be implemented and imposes a number of obligations; notable requirements include that the organization:
- Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
- Minimize the collection and processing of personal data whenever possible;
- Protect any personal data that it collects and uses;
- Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change; and
- Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.