Disclaimer: The content on these webpages appears as a courtesy to site visitors and is for general informational purposes only. To obtain a copy of the official applicable policy or regulation, please contact Brookdale’s Public Records Custodian via the Public Records webpage of the Brookdale website at https://www.brookdalecc.edu/about/public-records

I. Title of Regulation

General Data Processing Regulation (GDPR) Regulation

II. Objective of Regulation

This Regulation outlines the College’s application of GDPR requirements.

III. Authority

Board of Trustees Bylaw 1.3054; Policy 4.7002 Information Security Program; EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

IV. Regulation Statement

The objective of this Regulation is to outline Brookdale Community College’s (the “College”) administrative, technical, and physical information safeguards mandated by the General Data Processing Regulation (“GDPR”).

The European Union (E.U.) adopted the GDPR on 27 April 2016 which sets in place new data protection and compliance standards that seek to unify and strengthen data usage practices and protections for all individuals that reside in the E.U. It also aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by centralizing the regulation within the E.U. Since the scope of these protections is very broad and encompasses any export of personal data outside the E.U., the GDPR has widespread effects throughout education institutions around the globe. In order to safeguard E.U. citizens from data breaches, the GDPR requires that any organizations or institutions (within or outside of the E.U.) that process or hold personal data of citizens residing in the E.U. be compliant with the new standards. The GDPR became enforceable on 25 May 2018.

This Regulation, together with Brookdale Community College’s (“the College”) written Information Security Program (“the InfoSec Program”) Policy (Policy 4.7002) and accompanying Regulation (4.7002R) addresses information safeguards mandated by the GDPR.

1. Applicability

The GDPR standards apply to the obtaining, processing, storing, and security of any record that contains non-public personally identifiable information about a student or other third party who has a relationship with the College, whether in paper, electronic, or other form, which is handled or maintained by the College or on behalf of the College or its affiliates. For the purposes of this Regulation, non-public personally identifiable information (PII) is further explained and governed under the four levels of data classification defined by the College’s Data Classification and Permitted Use Regulation (4.7003R).

2. Key Definitions

2.1 The GDPR defines a ‘data subject’ as: “identified or identifiable natural person[s] who reside[s] in the E.U.” The intentional breadth of this definition implies that regardless of whether or not an individual is an E.U. citizen or permanent resident the GDPR will apply to their information. For instance, the GDPR requirements would also apply to American students or faculty members who communicate with campuses while they are in Europe.

2.2 Under the new standard ‘personal data’ is defined as: “any information relating to an individual [i.e. ‘data subject’], whether it relates to his or her private, professional, or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

2.3 The GDPR defines ‘data controllers’ as: “the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” ‘Data controllers’ are those persons or groups that make decisions about personal data processing.

2.4 The GDPR defines ‘data processors’ as: those entities that process personal data on behalf of data controllers, and as directed by data controllers of personal data.” ‘Data processors’ are those persons or groups to whom data controllers have delegated or outsourced personal data processing activities.

3. Roles and Responsibilities

3.1 Responsibilities: The College’s Vice President of Finance and Operations (VPFO) and Chief Information Officer (CIO) are responsible for coordinating and overseeing the College’s InfoSec Program; implementing GDPR compliance is a component of that program.

3.2 Risk Identification, Assessment, and Compliance: As part of the College’s written InfoSec Program Regulation, the College will identify and assess external and internal risks to the security, confidentiality, and integrity of non-public PII. This identification and assessment includes:

3.3 Designing and Implementing Safeguards: The CIO will work with departments to implement safeguards to control the risks identified through the audits, governance reviews, or data protection procedures mentioned above.

3.4 Overseeing Service Providers: As part of the College’s third-party Institutional Data safeguarding process, and under the direction of the VPFO, all service providers that handle, store, transmit, or receive Institutional Data must incorporate language into the College’s contracts stating that the service provider will protect the College’s Institutional Data according to commercially acceptable standards and no less rigorously than it protects its own data. For service providers or vendors that provide Software-As-A-Service solutions (hosted solutions) and handle, store, transmit, or receive Institutional Data, the College also requires inclusion of an InfoSec contract clause which will be reviewed by the Executive Associate Legal Services, the CIO, and the VPFO.

3.5 Adjustments: The VPFO and the CIO are responsible for evaluating and adjusting the GDPR Regulation based on the risk identification and assessment activities undertaken, as well as any material changes to the College’s operations or other circumstances that may have a material impact upon it.

4. Review Cycle

This Regulation will be reviewed and updated as needed, at least annually.

5. Compliance and Enforcement

As described in the InfoSec Program Regulation (4.7002R), whenever a faculty member, staff member, contractor, student, or third-party is found to be negligent in, or have a blatant disregard for, the compliance with the InfoSec Program Policy or an approved security compliance standard, the College’s first recourse will be in training the offender. Additional infractions will incur progressive discipline. The College reserves the right, however, to consider certain single incidents of non-compliance to be so harmful as to immediately rise to the level of more serious disciplinary consequences, up to and including a long term suspension of employment, termination of employment, removal of service, academic suspension, academic expulsion, termination of third-party relationship, or termination of contract.

V. Responsibility for Implementation

The President.

The VPFO and CIO are responsible for monitoring compliance with this Regulation and reporting instances of non-compliance to the College’s Senior Leadership Team stakeholders.

Related Policy; https://www.brookdalecc.edu/about/board-of-trustees/college-policies/4-0000-business-finance/4-7002-information-security-program/

Approved by Brookdale’s Data Standards and Information Security IT Governance Committee on 9/9/2020

Approved by Brookdale’s Information Technology Steering Committee on 10/8/2020

Approved by the Senior Executive Leadership Team on 1/6/2021

Approved: President, 1/6/2021

View PDF