The General Data Protection Regulation (GDPR) was created to protect the personal data and privacy of European Union (EU) residents and provide a single set of rules for international businesses and organizations that process this data. The GDPR also establishes severe penalties for noncompliance of up to 4 percent of global turnover or 20 million Euros, whichever is higher.
We’re coming down the home stretch of the two-year transition period when the GDPR will officially replace the Data Protection Directive of 1995. Beginning in May 2018, all GDPR rules will be enforced.
Keep in mind that the GDPR doesn’t just apply to EU-based organizations. Any organization around the world that handles the personal data of Europeans must abide by the GDPR. Consequently, the GDPR affects most if not all American higher education institutions, even if they don’t have programs or locations in the EU. Schools that recruit students and faculty in Europe, offer European study abroad programs, or communicate with alumni and donors in the EU will have to process their data in accordance with the GDPR.
The scope of the GDPR is broader than U.S. data protection laws such as the Family Educational Rights and Privacy Act. For example, IP addresses and any unique identifiers assigned to students or their electronic devices must be protected. However, the GDPR does not explain what technology and processes must be implemented to satisfy the new regulations. That burden falls upon the higher education institutions.
The most significant provisions of the GDPR that will impact operations include:
Despite the inevitable impact on operations, most organizations aren’t ready for the GDPR. According to a survey from TrustArc, six in 10 EU organizations hadn’t yet started GDPR implementation as of mid-2017. Similar surveys have shown the majority of U.S. organizations are also unprepared.
In the next post, we’ll discuss data governance and how it can help you prepare for the GDPR.