Understanding the EU’s GDPR and What it Means for the United States

In a move that will arguably change international data interactions forever, the European Union passed the General Data Protection Regulation (GDPR), a law that drastically increases protections for EU citizens’ personal data. This law effects companies within the EU, as well as organizations like universities or corporations within the United States that have any sort of online interaction or data sharing with EU citizens, with consequences in the millions of dollars if companies do not comply. Below, we’ll take a look at the GDRP in relation to technology as a whole, and specifically regarding U.S. universities.

 

What is the GDRP?

The purpose of the GDPR is to give data subjects more control over their data, reduce the overuse of consent, and require companies to implement measures that protect consumers’ data and privacy, as well as regulate and protect against data breaches. Additionally, the GDPR defines many rights for data subjects, including the right to access data, the right of erasure (to be forgotten), rights to restrictions on data processing, and to contest or not be subject to decisions based solely on automated processing. The GDPR defines three basic roles in data transactions: the data subject (the person the data is related to), the data controller (who dictates what is done with the data), and the data processor (what, or who, processes the data).

In respect to the organizations that use data – the controllers or processors – the GDRP imposes information management and transparency obligations that include: implementing a comprehensive set of data protection safeguards, allowing data subjects to exercise their rights to control personal data, and the “right to be forgotten” and complying with the GDRP’s data breach notification requirements. The GDRP stems from the idea that in Europe, unlike the United States, privacy is seen as a fundamental right, and overall focuses on the idea of data minimization, and presses institutions to become intentional about the data they keep in order to minimize the possibility of breaches or misuse. The changes that the GDRP will force these institutions to reconsider if the amount of data collection they do is necessary and adjust processes to fit the requirements of the GDRP.

 

 

The GDRP will have a massive impact on mass data collection, especially on AI. The GDRP will greatly limit the use of AI for applications such as e-recruiting, credit applications, or workplace monitoring because businesses will now need to obtain explicit consent for each person who encounters these softwares. Additionally, the GDRP will also prohibit companies from using automated systems that make decisions that will ‘significantly affect’ EU citizens, such as performance evaluations at work, and allow citizens to review and contest these algorithmic choices. Failure to comply can lead to fines of up to four million USD. Regarding the GDRP and universities, it’s important to note that although universities are mostly at risk for GDRP violations because of the amount of data exchange they have with Europe, via study abroad programs, alumni abroad, or exchange students, it’s unlikely that universities will be the first targets, as the laws are geared more toward protections against platforms like Google or Facebook.  However, it is still vital to comply with these regulations.

 

GDRP and Universities

Universities have three data buckets that are most likely to be impacted by the GDPR: foreign students attending in the United States or attending a satellite location abroad, human resources data such as EU citizens who are employees, and marketing data such as website interactions, regardless if the student attends the university or not. However, many universities think that because they follow FERPA they are on track to follow the GDPR – which is not the case. Unlike the GDPR, FERPA only applies to students, and expressly excludes the very data the GDPR seeks to regulate. Under the GDPR, “personal data” includes employment records of non-students, application records of individuals who did not enroll, and alumni records not related to attendance, as well as additional information like IP addresses and location information. Overall, the GDRP consent requirements are very specific and limit what personal data can be used other than what is specifically stated in the consent document. Institutions that require consent must ensure that the consent was “freely given, specific, informed, and unambigious”.

Before beginning the extensive process of preparing for the GDPR, it’s important to consider whether or not your institution will even be under jurisdiction. This would mean that you do not: recruit or accept students from the EU, allow students, faculty, or other staff to participate in study abroad programs, offer remote learning programs for EU students, conduct research in the EU, or any sort of documentation or networking to EU residents. Below, we’ve provided a checklist (originally posted here) that we believe to be the most comprehensive and lists the major requirements of the GDPR. This is a good list if you’re a college or university in the US and need to start meeting GDPR compliance, if you’re already in the process of meeting GDPR compliance and need to see if you missed anything, or are a consultant working to help universities and colleges meet GDPR requirement

GDPR Compliance Checklist

In terms of data, ensure your institution has:

1.      A list of all types of personal information it holds, the source of that information, who you share it with, what you do with it, and how long you will keep it (GDPR Article 30)

2.      A list of places where it keeps personal information and the ways data flows between them (GDPR Article 30)

3.      A publicly accessible privacy policy that outlines all processes related to personal data (GDPR Article 30) and includes a lawful basis to explain why the company needs to process personal information (GDPR Article 6)

In terms of management and accountability, your institution MUST:

1.      Appoint a Data Protection Officer (DPO) (GDPR Article 37)

2.      Create awareness among decision-makers about GDPR guidelines (GDPR Article 25)

3.      Audit and ensure all technical security practices are up to date (GDPR Article 25)

4.      Train staff on data protection practices (GDPR Article 25)

5.      List the vendors who process our data (e.g., “sub-processors”) and promulgate our data relationship with them via your privacy policy (GDPR Article 28)

6.      Appoint an EU representative who could be contacted by a local authority should a concern arise (GDPR Article 27)

7.      Audit and deploy measures to report data breaches to local authority and to students involved in the breach within 72 hours (GDPR Article 33; GDPR Article 34)

8.      Ensure contracts are in place with any vendor or “data processor” that your institution shares data with (GDPR Article 29)

In terms of student rights protected by the GDPR, your institution must allow students to:

1.      Easily request access to their personal information (GDPR Article 15)

2.      Easily update their own personal information to keep it accurate (GDPR Article 16)

3.      Have their data automatically deleted when your institution has no more use for it (GDPR Article 5)

4.      Easily request deletion of their personal data (GDPR Article 17)

5.      Easily request that your institution stop processing their data (GDPR Article 18)

6.      Easily request that their data be delivered to themselves or a third-party (GDPR Article 20)

7.      Easily object to profiling or automated decision making that could impact them (GDPR Article 22)

In terms of ensuring you have consent from students when processing their information, your institution MUST:

1.      Ask for consent when you start processing a student’s information (GDPR Article 7)

2.      Clearly outline what it is you are doing with their data in your privacy policy (GDPR Article 7.2)

3.      Make it as easy for your students to withdraw consent as easy as it was to give it in the first place (GDPR Article 7.3)

4.      Inform existing students whenever your institution updates your privacy policy (GDPR Article 7)

Finally, your Information Systems managers MUST:

1.      Regularly review policies for changes and effectiveness, and regularly review changes in data handling, storage, processing, and dissemination procedures and policies among your vendors (GDPR Article 25).

 

 

Lastly, it’s important to recognize that many of the changes institutions need to make to comply with the GDPR may seem exhaustive, but overall will help streamline and manage data acquisition. Since the GDPR is so new, it’s integral to both monitor developments within the law while taking the steps needed to comply with the requirements.