The EU’s General Data Protection Regulation (GDPR) provides all EU citizens with Data protection rights.  It is essential that Illinois State University is compliant with this regulation for all members of the campus community that are EU citizens.  This includes previous faculty, staff, and international students.

Subject Access Requests 

Under the EU General Data Protection Regulation, privacy is a right, much like rights provided in the US Constitution.  It provides citizens and visitors to the EU with two rights regarding data:

1. The right to be forgotten - deletion or anonymizing of data (to the point of irreversibility)
2. The right to request all data 

In short, citizens of the EU have the right to request all information about themselves from ISU, or request that data be deleted.  Data that must be retained (for legal or other reasons) must be deleted as soon as possible.  There are some things to keep in mind with GDPR:

• There is a 30-day period from when the request is received to comply.  This time starts from the moment the person makes the request.
• Notification may be verbal.
• Must verify the person’s identity
• If they are requesting records, it must be in a “common” (non-proprietary) format.
• Information with legal obligations may be kept.

What types of Information?

Anything that uniquely identifies an individual is considered sensitive for the sake of a GDPR request.  Some examples include:

• ULID
• IP Address
• Gender
• Personal relationships
• Political affiliations
• Cohabitation

Processing GDPR Requests

All GDPR requests should be sent to the AT security queue.  AT Security will determine the legitimacy of the request, verify the person’s identity, and delete or deliver the requested information.