GDPR Vendor FAQ
FAQs for Vendor and Future Vendors
Q. Is Loyola University Chicago required to comply with the General Data Protection Regulation?
A. Yes. This Regulation establishes new rules for storing and processing the personal data of EU residents and visitors to the EU and applies to any organization doing business with or in the EU. Since Loyola University Chicago (LUC) has a campus in the EU and accepts international students, we are required to comply with the new regulation.
Q. What has LUC done to be GDPR Compliant?
A. Some of the activities that Loyola University Chicago has undertaken to comply with GDPR include establishing a working group, inventory of personal data processed by the University, development of a GDPR privacy notice and consent forms, and implementation of a Vendor assessment Process.
Q. Does LUC require that their Cloud Software Vendor or Data Processor be GDPR Compliant?
A. Yes. GDPR requires, where processing is to be carried out on behalf of a controller, Such as Loyola, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
Q. Is a Data Mapping Survey Required?
A. Yes. The Data Mapping Survey is used to identify what, if any, personal data will be stored in the application and whether the GDPR will apply. This should be completed by the LUC Business Relationship Manager.
Download the LUC Data Mapping Survey. (Word)
Q. Does Loyola require a Data Protection Addendum (DPA) be signed?
A. The Data Protection Addendum is used to protect personal information (PI) about students, faculty, staff and other individuals when LUC is sharing information with another organizations.
Data Processing Addendum
Download the Loyola Data Protection Addendum (Word) and submit the completed form to gdpr@luc.edu.
Q. What other GDPR related documents does LUC require?
A. LUC also requires that a Vendor completed a GDPR Readiness Questionnaire if any data will be obtained from a person residing, visiting, working or studying in the European Union. If the answer to question 9 in the Data Mapping Survey, is yes, the survey is a requirement.
Download the GDPR Vendor Readiness Questionnaire. (Word)
Q. What other documents does LUC require?
A. In addition, LUC required that a DR Disaster Recovery Questionnaire be completed for all applications which have been identified as a Tier 1 or Mandatory Application. The Vendor must also provide the following information:
• Recovery Time Objective (RTO) for the application.
• What is the Recovery Point Objective (RPO) for the application?
• The last Disaster Recovery test exercise information (RTC, RPC, successful/unsuccessful).
Download the LUC Disaster Recovery Questionnaire. (Word)
Q. What is the process for submitting completed documents?
A. Required documentation submission will be coordinated by the LUC Business Relationship Manager. All completed documents should be submitted to gdpr@luc.edu. The documents will be reviewed and the GDPR group will contact you, if they have any questions or need additional information.
Q. If I have questions related to GDPR, who can I contact?
A. You may contact the GDPR group at gdpr@luc.edu.