Q: Where can I find the requirements within the BPM?

A: BPM Section 12.6 Data Privacy.

Q: When did the BPM Section 12.6 go into effect?

A: July 1, 2021.

Q: Where can I find definitions to data privacy terms and acronyms?

A: Data privacy definitions can be found within: BPM Section 12.6 Data Privacy, DSR Process Guide, RoPA Process Guide, and IT Handbook Section 6.

Q: Who should I contact if I have questions about the BPM Section 12.6?

A: USG Office of Ethics and Compliance.

Q: Are there checklists for what institutions have to be compliant with in regards to BPM Section 12.6?

A: Privacy Checklist and GDPR Checklist (if your institution is subject to GDPR; meaning, having a high volume of students, employees (faculty and staff), partners, etc. from or operating in the European Union). Both checklists can be found on the USG Data Privacy webpage at: Institutional Guide.

Q: Where can I find points of contact at each of the USG institutions?

A: On the USG Data Privacy webpage at: Institutional POCs.

Q: What is due from institutions in regards to Data Privacy requirements by December 31, 2021?

A: 1. Institutional consent forms must require a human action. 2. Website privacy disclaimers with a point of contact are present on the following institutional webpages: (1) home page; (2) human resources page; (3) admissions pages (undergraduate and graduate); and, (4) foundation home page (if any). 3. Institution’s privacy notice/policy is online with contact information.

Q: What is due from institutions in regards to Data Privacy requirements by June 30, 2022?

A: Institution has supplier management processes in place to identify any data security requirements and embed, when appropriate, those data security requirements in any contracts/agreements.

Q: What is due from institutions regarding Data Privacy requirements by December 31, 2022?

A: Institution has implemented a formal process for data subjects to submit a request, which also tracks the processing of the data subject request (DSR) from open to close.

Q: What is due from institutions regarding Data Privacy requirements by December 31, 2023?

A: Institution has: a) identified and documented all instances of personal data within the scope of the institution’s business activities, processes and supporting systems, developing an institutional record of processing activities (RoPA); and, b) developed and implemented a plan to execute and maintain the RoPA.