Update: May 18, 2018
*As you may be aware, the General Data Protection Regulation (GDPR) goes into effect on May 25th, 2018. The GDPR is a new regulation from the European Union regarding sensitive data protection of EU residents.
*GDPR requires businesses to protect the personal data and privacy of EU residents for transactions that occur within EU member states. GDPR has tough penalties for non-compliance (€20 million or 4% of global annual revenue in the prior year, whichever is greater)
*Some quick definitions of an EU Individual and EU personal data are provided towards the bottom of this notification.
*Under GDPR, an EU Individual / Data Subject can exercise the following rights:
--Right to be Informed: Individuals have the right to be informed about the collection, purpose, and use of their personal data.
--Right to Rectification: Individuals can make a request to rectify or complete their personal data, if it is inaccurate or incomplete.
--Right to be Forgotten: In certain circumstances, individuals can request to have their personal data erased.
What this means for Columbia and CBS:
*Each CU school that is affected by GDPR designated two representatives to handle GDPR requests for the school. For CBS, Richard Hall is the primary contact and Jase English is the alternate.
*Richard and Jase can leverage two resources in the GDPR representative role: a Columbia University GDPR web page which acts as a central point of contact to handle all GDPR data subject requests and inquiries, and an automated ServiceNow GDPR workflow.
*ServiceNow allows users to submit the following type of requests: the Right to be Informed, the Right to Rectification, and/or the Right to Erasure. For Rectification and Erasure requests that cannot be processed due to either the disruption of business operations and/or violations of legal/regulatory requirements, an automated email response will be sent to the requestor.
*Other requests will automatically be routed to Richard and Jase for further action. Any additional GDPR requests or questions should be submitted via email to [email protected] and will be handled on a case-by-case basis.
*Rich Hall and Jase are responsible for leading GDPR operational readiness at CBS. We are working within ITG to ensure that our Help Desk and the broader CBS community is informed and prepared to address GDPR-related inquiries and requests. Timely and appropriate response is critical to successful compliance.
*We greatly appreciate your support in working with us to prepare Columbia University for GDPR compliance.
What this means for those who maintain web sites for CBS:
*If you manage a web site that does not end in .gsb.columbia.edu, then you need to add the CU cookie statement to your website as shown below.
This is a link to the Columbia University Website Cookie Notice
*EU Individual - An individual who is physically located in an EU member state. This definition includes both EU citizens and non-EU citizens physically located in the EU.
*EU Personal Data - Personal Data that relates to an EU Individual
*Any information relating to an identified or identifiable natural person such as a name, an id number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
--Additional examples of Personal Data include: home or work address, email address, passport number, national ID number, IP address, cookie identifiers, driver's license number, financial account number, credit card number, transaction history, telephone number, academic grades, test scores, disciplinary records, photographs, and performance evaluations
*Is there any defined timeframe in which data is to be purged, upon request?
--Providing that the request for purge does not disrupt business process and/or violate regulatory/legal requirement, the expectation is that GDPR requests should be completed within 30 days. A longer period can be allowed if the request is complicated or more research is needed.
*Is there any wording that can be provided to those who send externally marketed email campaigns?
--No, but they should be reminded that only info necessary to support the business requirement and process should be used.
*Do we need to provide the cookie message on sites that we use internally for monitoring?
--The CU cookie statement needs to appear for any CU websites that are publicly accessible.
Information Security Support
E-mail: [email protected]
Columbia Business School is committed to protecting the privacy, data, devices and other information assets of its constituents. All Columbia Business School community members have a shared responsibility of helping to maintain the information security of the University.
Proper handling, protection, and dissemination of data and other information is vital to the academic goals and success of the Business School. We at ITG define and implement Columbia Business School policy, procedure and standards. We also provide information security governance, network and application security, identity and access management, and security awareness training. Moreover, we conduct vulnerability management and risk assessment projects for the business school.
Please feel free to contact us with questions or for help. If you see something, say something! Please report suspected security incidents and Phishing email to: [email protected]