UA ISO Risk Assessment GDPR Questions

UA ISO RISK ASSESSMENT GDPR QUESTIONS

If you are doing business with persons located in the EEA, you should be aware of GDPR and related obligations. As a first step in understanding your unit's GDPR profile, consider the questions below. This self assessment will help to uncover areas which may need attention.

 

  1. Does the information resource include A) a web or other user experience; B) marketing elements; C) University owned, managed, used or collected person-related data?

  2. Does the information resource purposefully translate (or enable translation of) web or application user interfaces into a foreign language or otherwise direct such user interface towards any geographic area outside of the United States of America?
    1. What countries are the focus of this translation?

    2. Do you have or plan to have an operational presence in those foreign locations?

  3. Are web cookies used in any manner for any purpose? For instance, to improve or personalize the web experience, to collect and use location or other user data for any target marketing, analysis or research purposes.
    1. Is the purpose of the cookies well understood and documented?

    2. Are users notified of the cookie use?

  4. Do you participate in student or faculty exchange, visitation, collaboration or research programs with international persons, institutions or other organizations? If yes, what foreign regions or countries are the focus of this activity?

    1. What foreign regions or countries are the focus of this activity? (If the same as identified previously, please indicate "Same".)

  5. Is any direct marketing performed, offering products, goods or services to international persons, institutions or other organizations? If yes, what foreign regions or countries are the focus of this activity?

    1. What foreign regions or countries are the focus of this activity? (If the same as identified previously, please indicate "Same".)

  6. Is any person-related data collected from individuals or obtained from third parties through the use of forms, files, email or any other data collection or exchange?
    1. Is the nature of collected or obtained data well understood and documented (do you know what all the data is)?
    2. Is the purpose of the data collection well understood and documented?
    3. Is the data being used for any reason(s) other than the reason(s) for which it was originally collected?

    4. Is the geo-location where the data was obtained, or the geo-location of the person whose data is being collected, available?

  7. Is any person-related data sent, distributed or provided to others (inside or outside the UA, including individuals, colleges, units, vendors or any other third parties)?

    1. To whom is the data provided and to what location(s) is the data sent?

  8. Does any current or proposed research or behavioral analysis involve person-related data, regardless of whether the data is directly or indirectly obtained?

    1. Are any of the subject persons located in the European Economic Area (EEA)?

  9. Is any person-related data used in any automated decision making or in any other profiling techniques or mechanisms?

    1. Briefly describe the activity and its purpose.

  10. Does your office collect, store, or use any sensitive personal data about people while they are located in the EU?

  11. Are you comfortable with the privacy standards that you have around the data?

  12. Have you taken any steps towards GDPR compliance?