By Denise Dolezal. As news sinks in that the European Union’s (EU) General Data Protection Regulation (GDPR) applies to UC, it might cause some consternation across the university. But what if there is a bright side to the extraterritorial nature of the regulations?
UC’s paradigm of privacy actually exemplifies the principles and rights embodied in GDPR regulations, as well as reflecting elements of other nations’ privacy regulations. So could it be that UC’s privacy standards uniquely position our compliance posture far ahead of other U.S. based organizations and institutions by comparison? I believe they do.
UC has a long legacy of protecting the privacy of our students, faculty, staff, and constituents. For example, Rules of Conduct were promulgated in the mid 1980s for UC employees involved with information regarding individuals. Today, these long-standing values contribute to proper application of similar GDPR regulations at UC.
The university also complies with a number of privacy-focused California state and federal laws and regulations, as well as a range of related UC policies, that align with GDPR in principle. Additionally, UC strives to achieve alignment, as a matter of best practice, with similarly parallel industry standards, such as NIST, ISO, and PCI DSS.
To illustrate parallels and similarities I observe between UC’s privacy compliance paradigm and the GDPR, I created a tool to communicate a gap analysis. It uses stoplight analysis to depict various levels of UC’s compliance alignment with GDPR concepts. You can see the complete graphic online. To give you a sense of it, I also have included a small snippet below.
Notice all the green color (the boxes with Xs in them) demonstrating where UC complies with GDPR concepts through existing law, policy, or adherence to standards. Most of these mechanisms have been in place for decades at UC! The table lists the following GDPR requirements:
- Access requests (a.k.a. data subject requests or DSR). Check.
- Transparency. Check.
- Data breach response, security controls, data minimization, accuracy (a.k.a. rectification), accountability, right to be forgotten (a.k.a. opt out). Check.
Check. Check. Check. Check. Check. Check. My conclusion? UC actually is in a good position with respect to being able to comply with the GDPR.
Yes, UC should continue to evaluate its policies and processes for GDPR compliance. However, in a data-driven and data-rich institution, a central objective should be not only to comply with the GDPR, but also to continue to embed in our values the responsible, accountable, and ethical data stewardship that our students, faculty, staff, and constituents expect.
This is how we will ensure their privacy is curated appropriately and transparently on balance with innovation. Responsible data stewardship fosters trust in the University of California as the premier public institution of higher education.
Denise Dolezal is chief privacy officer, UC Santa Cruz. She leads the campus’s GDPR Taskforce to oversee implementation, distribute information, and facilitate compliance efforts for the European Economic Area’s sweeping extraterritorial privacy regulations.