GDPR Information

The European Union’s General Data Protection Regulation 2016/679 (“GDPR”) imposes stringent new data privacy restrictions for organizations that control or process personally identifiable information about people in Europe. While the regulation is primarily aimed towards data controllers and processors located in the European Union, it also applies to non-EU processors where the processing activities are related to:

This is admittedly a small amount of the College’s data. Nevertheless, because there is some data that will fall within the scope of the GDPR, it is important for us to begin taking steps to comply with the GDPR.

Following the completion of the inventory performed by GreyCastle on May 4, 2018, the paragraphs below outline language for contracts with vendors subject to the GDPR and recommendations for updates to the College’s website privacy policy. It concludes by highlighting areas for future consideration to enhance compliance with the GDPR and adopt best practices for data security.

1. Contracts with Companies that Process GDPR-Covered Data

Under the GDPR, organizations that contract with vendors to process data subject to the GDPR must enter into written agreements covering certain proscribed terms, including specific information about the processing engaged in by the vendor. Many larger vendors have already proposed amendments or addenda to their written agreements with the College to satisfy the requirements of the GDPR. For those that have not, however, the Data Protection Addendum offers template language for such agreements. In order to satisfy the requirements of the GDPR, Appendices 1 & 2 will need to be completed to identify the specific data being processed and the contractor’s technical plans.

In order to ensure compliance going forward, Wheaton College data stewards should reach out to each vendor potentially engaged in the processing of data involving persons residing in the EU to begin the process of adopting an addendum their contracts. Please note: this requirement extends to not only technology vendors, but also other third-parties that process personally identifiable information in the European Union on our behalf, such as study abroad partners or marketing agencies. Bryan Seiler is available to review any drafts or edits to our drafts as requested.

2. Website Privacy Policy

Given that potential data subjects that fall within the scope of the GDPR may access our website, it is also recommended that we update our privacy policy to address the required elements of the GDPR. Articles 13 and 14 of the GDPR provide a number of required elements for such a policy to address, including references to rights of review, erasure, and contact information for the controller (the College).

Here is a draft updated website privacy policy building on a template from another institution that has been leading the way in GDPR preparedness. As noted in the document, there are several institution-specific technical details that will need to be provided.

See a memo from GreyCastle Security for further information.