GDPR Compliance: How It Can Affect Your School and What You Need To Know

Not-For-Profit and Education, Cyber and Information Security Services, Education Services

GDPR Compliance: How It Can Affect Your School and What You Need To Know

If your school enrolls European Union citizens, the General Data Protection Regulation (GDPR) should sound very familiar. If it doesn’t, keep reading or it could cost you. Here we share key information on GDPR compliance.

The GDPR, a European Union regulation, is set to become effective on May 25, 2018. GDPR was designed to protect all European Union citizens’ data privacy and will affect all U.S. grade schools, colleges and universities that have foreign students from the European Union. The protected data includes any information related to a natural person or “data subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Under GDPR, in the case of a data breach, the school will have 72 hours to notify the Data Protection Authority and the affected individual. The maximum fines for the most serious infringements are the greater – yes, greater – of 4% of annual global revenue or 20 million Euros. The GDPR defines several roles such as data controller, data processor and the data protection officer that are responsible for ensuring compliance. Entities will have to designate these functions within its personnel.

Privacy by Design

The GDPR includes a provision for privacy by design. Privacy by designs calls for the inclusion of data protection in the designing of systems, rather than an addition. Further, only information that is absolutely necessary for the completion of duties is to be held and processed, and access to personal data is to be limited to those individuals needing the information to perform their job.

Right to be Forgotten

The right to be forgotten is also covered under the GDPR. The right to be forgotten entitles the data subject to have their personal data erased, cease further dissemination of the data, and potentially have third parties halt processing of the data.

Consent

Under GDPR, individuals must explicitly opt-in to allow personal data to be collected, and children must get consent from a parent or guardian. Additionally, consent must be easy to remove at any time.

Data Portability

GDPR introduces data portability, which is the right for a data subject to receive the personal data concerning them, which they have previously provided in a commonly used, machine-readable format and have the right to transmit that data to another controller.

Is your school prepared? When is the last time your contracts with third-party providers were reviewed? Where is your data stored? What initiates data transmittal? Is your data encrypted? Is it susceptible to being compromised? As the effective date nears, now is the time to check your cybersecurity policies and procedures to ensure your school will be compliant with GDPR before it’s too late.

Return to Cyber & Information Security Services Page

How Can We Help?

Previous Post

Next Post

Read More
image of little kid behind a pink heart

Not-For-Profit and Education

At the center of your nonprofit is the desire to keep going against all odds to fulfill a unified goal. Sometimes, that focus can become clouded by compliance, governance and […]

Learn More
Photo of a lock.

Cyber and Information Security Services

Cybersecurity: Businesses Need the Right Protection Our Cyber threats continue to grow at an exponential rate. Additionally, the constantly changing technical landscape, including the introduction of disruptive technologies such as […]

Learn More

Education Services

At Withum, our Education Services Team provides services to various types of public and private education institutions. As a certified public accounting and consulting firm, we understand the unique challenges […]

Learn More