ISU is working to comply with new EU data privacy law

A campus working group is preparing recommendations for how Iowa State should handle the European Union's new data privacy law, which takes effect next month. Among other requirements, the General Data Protection Regulation (GDPR) requires legal bases to process the personal data of a person in an EU nation.

Under the GDPR, personal data is information that can be used to identify people, including names, photos, email addresses, bank details, social media posts, medical information or computer IP addresses. Processing means any operation performed on personal data, such as collecting, recording, organizing, adapting, altering, disseminating or erasing.

The law undoubtedly will have some effects on Iowa State. The university recruits and enrolls students from EU countries. Students and faculty study, teach and research in the EU. The College of Design's program in Rome has a vast footprint. This activity creates data Iowa State processes, which means it needs a legal basis such as consent, a legal or contractual requirement, or a "legitimate interest," which is balanced against the impact on the individual in order to do so.

Stakeholders across campus are reviewing their systems to identify what data is affected by the GDPR. A legal basis for processing the data will then need to be identified. Iowa State must comply with the law by May 25, when it goes into effect.

The working group will recommend best practices to impacted departments. Recommendations may include treating all data as if it were subject to the EU regulations, purchasing software that identifies and treats personal data in compliance with the GDPR, and performing regular internal audits to ensure compliance.

Questions about the process may be directed to Drew Nishiyama in the university counsel's office at or 294-5352.