What the New EU Data Protection Rules Mean for Higher Education


The General Data Protection Regulation (GDPR) was created to protect the personal data and privacy of European Union (EU) residents and provide a single set of rules for international businesses and organizations that process this data. The GDPR also establishes severe penalties for noncompliance of up to 4 percent of global turnover or 20 million Euros, whichever is higher.

We’re coming down the home stretch of the two-year transition period when the GDPR will officially replace the Data Protection Directive of 1995. Beginning in May 2018, all GDPR rules will be enforced.

Keep in mind that the GDPR doesn’t just apply to EU-based organizations. Any organization around the world that handles the personal data of Europeans must abide by the GDPR. Consequently, the GDPR affects most if not all American higher education institutions, even if they don’t have programs or locations in the EU. Schools that recruit students and faculty in Europe, offer European study abroad programs, or communicate with alumni and donors in the EU will have to process their data in accordance with the GDPR.

The scope of the GDPR is broader than U.S. data protection laws such as the Family Educational Rights and Privacy Act. For example, IP addresses and any unique identifiers assigned to students or their electronic devices must be protected. However, the GDPR does not explain what technology and processes must be implemented to satisfy the new regulations. That burden falls upon the higher education institutions.

The most significant provisions of the GDPR that will impact operations include:

  • Data Security and Breach Notification Standards. In the event of a data breach, organizations must notify all affected parties within 72 hours or provide a “reasoned justification” for the delay.
  • Data Protection Officer Designation. Any public authority and organizations that engage in large-scale monitoring or processing of data must designate a data protection officer to manage all activities related to personal data.
  • The GDPR includes strict requirements for receiving consent from a data subject. Providing an opt out or equating silence as consent is no longer acceptable.
  • Cross-Border Data Transfers. Transfers of data to other countries are only permitted if the country’s data protection is adequate or appropriate safeguards are in place.
  • Profiling, or target marketing, is restricted, and data subjects have the right to be excluded from this practice.
  • Individual Rights and Data Portability. Individuals can request to have their personal data deleted or transferred to another organization. They also have the right to receive information about data processing activities.
  • Vendor Management. There are clear lines of accountability between controllers and processors of personal data.
  • Organizations are encouraged to adopt a process that separate personal data from direct identifiers. Data would still be usable, but risk would be reduced.
  • Codes of Conduct. The GDPR recommends using codes of conduct and certifications to maintain and demonstrate compliance.
  • Severe Penalties. Two tiers of hefty fines are designed to get organizations to take the GDPR seriously.

Despite the inevitable impact on operations, most organizations aren’t ready for the GDPR. According to a survey from TrustArc, six in 10 EU organizations hadn’t yet started GDPR implementation as of mid-2017. Similar surveys have shown the majority of U.S. organizations are also unprepared.

In the next post, we’ll discuss data governance and how it can help you prepare for the GDPR.