WEST LAFAYETTE, Ind. – Access to the Purdue University student newspaper, The Exponent, is currently unavailable to individuals located within the European Economic Area (EEA), including the European Union (EU), due to the enforcement of the General Data Protection Regulation (GDPR). The website displays a message informing users of the restriction and providing contact information for assistance.
The GDPR, a comprehensive data privacy law enacted by the EU in 2018, governs the processing of personal data of individuals within its jurisdiction. As previously reported by Purdue University, some of its activities fall under these regulations, particularly concerning the handling of data collected from individuals in the 28 member countries of the EU. The regulation applies to entities outside the EU that control or process the personal data of those within the bloc, regardless of their citizenship or residency status.
According to Purdue’s Chief Information Security Officer Greg Hedrick and Chief Privacy Officer Trent Klingerman, the GDPR requires that personal data be “processed” fairly, lawfully, and transparently. This encompasses the collection, handling, storage, disclosure, and destruction of data. The university must establish a legal basis for processing an individual’s information, which can include a legal obligation or consent from the individual.
The situation highlights the complexities organizations face in complying with international data privacy regulations. Purdue University has previously acknowledged the impact of GDPR on its operations, specifically mentioning recruitment and admission of students from the EU as priority areas for analysis. Exponent’s Information Security program is audited annually, both internally and externally, to ensure compliance with policies and applicable security and privacy standards, including the GDPR and the California Consumer Privacy Act (CCPA).
Purdue’s Data Security Framework
Purdue University maintains a robust Information Security and Data Privacy program, detailed in the Exponent Information Security Management System (ISMS) and Privacy Information Management System (PIMS). These programs are overseen by the Board of Directors and senior leadership, and operated by dedicated professionals. The university’s Information Security team conducts risk assessments and manages risks through a documented process. Exponent’s systems and data are protected by policies covering acceptable use, remote access, passwords, digital systems use, mobile devices, wireless communication, privacy, security incident reporting, data backup, information sensitivity, physical security, and supplier relations.
Access controls are implemented to limit data access to authorized users and devices, requiring unique user IDs with complex passwords and frequent password changes. Two-factor authentication is also required for remote access and cloud systems. These measures are aligned with frameworks including the NIST Cybersecurity Framework, NIST SP 800-171, and ISO 27001 and ISO 27701 standards.
Recent Contractual Clarification
In a separate statement released on June 5, 2025, Purdue University clarified its relationship with The Exponent, stating that any use of university facilities by a private business organization requires a contract. The university noted that the contract between The Exponent and Purdue University had long expired. Read the full statement here.
The current access restrictions to The Exponent’s website for EEA users are directly linked to the GDPR regulations and the university’s commitment to protecting personal data. The university’s policies regarding information technology are designed to maintain a trusted and effective IT environment, vital to its mission of discovery, learning, and engagement. See Purdue’s Information Security and Privacy policy here.
The situation underscores the increasing importance of data privacy compliance for institutions operating in a globalized digital landscape. As Purdue University continues to navigate the complexities of GDPR and other data protection regulations, it will be crucial to maintain transparency and ensure the privacy rights of individuals within the EU. Users experiencing access issues are directed to contact The Exponent via email at [email protected] or by phone at 765-743-1111.
What comes next will depend on Purdue University’s ongoing assessment of GDPR requirements and its ability to implement solutions that allow access to The Exponent’s website for users in the EEA while remaining compliant with data privacy regulations. Share your thoughts and experiences in the comments below.
