How the new EU General Data Processing Regulation (GDPR) Will Impact Higher Education Institutions in the U.S. and Around the Globe

The European Union’s new General Data Processing Regulation (GDPR) will have widespread effects throughout education institutions around the globe.

The new standard, which aims to protect citizens of the European Union (EU) from data breaches, requires that any organizations or institutions (within or outside of the EU) that process or hold personal data of citizens residing in the EU be compliant to the new standards by May 25, 2018. Under the new standard ‘personal data’ is defined as “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.”

The following circumstances are some of the examples of how your educational institution may fall within the scope of the GDPR. Any institutions that meet these criteria should review and create processes aligned with the new standards:

The checklist “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now” created by the Information Commissioner’s Office (ICO) highlights 12 key elements to help you get ready for the new standards:

  1. Awareness – You should make sure that decision-makers and key people in your organization are aware that the law is changing to the GDPR.
  2. Information You Hold – You should document what personal data you hold, where it came from and who you share it with.
  3. Communicating Privacy Information – You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ Rights – You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject Access Requests – You should update your procedures and plan how you will handle requests to take account of the new rules.
  6. Lawful Basis for Processing Personal Data – You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent – You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Children – You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  9. Data Breaches – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection by Design and Data Protection Impact Assessments – the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes Privacy Impact Assessments (PIAs) – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
  11. Data Protection Officers – You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
  12. International – If your organization operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.