July 8, 2020
Ep. 25 – Dr. Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum & Bob Eckman, CISO at Kent State University
This week on Privacy Please, we take a closer look at how GDPR affects higher education and, even more importantly, how universities can create a framework to meet the regulations. We bring both perspectives to the conversation with Dr. Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum, who helped negotiate the GDPR and Bob Eckman, CISO at Kent State University, who works every day to keep his institution in compliance. When you listen to this week’s show, you’ll find out why Zanfir-Fortuna earned the nickname “Wonder Woman of GDPR” – and she even has a plaque to prove it.
Here are three highlights of this week’s chat:
Why You Need a Privacy Office – Actual Office Space Optional
Eckman tells us how just a few years ago he had never heard of a Privacy Office, which is a one-stop-shop for data privacy and now a common feature at universities. Some institutions’ privacy offices are in an actual office with people, such as a Chief Privacy Officer, working within. But not all of them have separate office space with dedicated workers.
The Privacy Office communicates how the university manages privacy and treats data, but even more importantly, it helps people feel comfortable interacting with the university environment. Eckman explains that some smaller schoolers don’t have a dedicated Chief Privacy Officer. In these cases, the CIO typically takes on the role to meet GDPR requirements of a data protection officer reporting to the highest level of the organization. At larger schools, there is a dedicated role for Chief Privacy Officer or the Chief Security Officer handles the responsibilities.
Build your data privacy program with the future in mind
“Build your program for the worst-case scenario – plan for the worst and hope for the best. If GDPR is the most restrictive regulation, then build your privacy around those regulations. If you can meet those protections, then you’ll meet the majority of, if not all, new regulations and are building your program with the future in mind.”
– Bob Eckman, CISO at Kent State University
How Europeans View Privacy Differently than Americans
Every time Zanfir-Fortuna hears the term data privacy, she has a conflict in her head because the term isn’t used in Europe. The European Union legal framework protects the right to privacy and the right for data protection. While the right to protection of personal data is in another bubble, the two bubbles often interact. The European view refers to how personal data can be used – and if it even should be used. If you collect personal data, you need justification for why you need the data at that current point in time. In the U.S., data privacy laws typically cover a well-defined piece of information, such as PHI under HIPAA, which is different than the broad definition created by the GDPR.
The difference (and balance) of data protection and data privacy
“As part of the ongoing conversation in the U.S., we are thinking more about the differentiation between data protection and privacy. How do we protect personal data to achieve fairness towards people, which is a goal unto itself? Is that equivalent to protecting the intimate, private sphere of someone? Or can we think of them differently and value both at the same time?”
– Dr. Gabriela Zanfir-Fortuna, Senior Counsel for the Future of Privacy Forum
How Remote Learning Affects Data Privacy
While students did not see many holistic impacts from moving to a remote model, Eckman explains that on an administrative level, the shift opened a lot of new issues. With people working from home consistently, strange machines are connecting to strange networks on a regular basis. Many privacy regulations, such as HIPAA, require having control access to a machine displaying PHI that only authorized users can see, which creates additional challenges. Eckman says that in an office environment, his team uses creative ways to fill such requirements, such as using screen protectors and distancing workstations. But with remote environments, you can never be sure that the employee looking at PHI isn’t in their living room with family members able to see the screen.
However, he says that his school (Kent State) and many others quickly instituted some changes to help, such as VPN use and using dedicated workspaces in homes. Because Kent State has a great relationship with Microsoft, he was able to create an advanced Microsoft authentication that allows employees to securely use tools such as Teams and Outlook while connected to a VPN. While Kent State was able to adjust with a tremendous amount of work and effort, he saw many other schools really struggle with the home security aspect.
Following regulations does not equate to a strong data security program
“If we were to follow regulations to the letter, such as HIPAA, GLBA, PCI, GDPR, I can implement a control that would meet a requirement in almost every one of those different compliance measures. But that doesn’t necessarily mean that I have a good security program and my data is secure.”
– Bob Eckman, CISO at Kent State University