If your school enrolls European Union citizens, the General Data Protection Regulation (GDPR) should sound very familiar. If it doesn’t, keep reading or it could cost you. Here we share key information on GDPR compliance.
The GDPR, a European Union regulation, is set to become effective on May 25, 2018. GDPR was designed to protect all European Union citizens’ data privacy and will affect all U.S. grade schools, colleges and universities that have foreign students from the European Union. The protected data includes any information related to a natural person or “data subject,” that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Under GDPR, in the case of a data breach, the school will have 72 hours to notify the Data Protection Authority and the affected individual. The maximum fines for the most serious infringements are the greater – yes, greater – of 4% of annual global revenue or 20 million Euros. The GDPR defines several roles such as data controller, data processor and the data protection officer that are responsible for ensuring compliance. Entities will have to designate these functions within its personnel.
The GDPR includes a provision for privacy by design. Privacy by designs calls for the inclusion of data protection in the designing of systems, rather than an addition. Further, only information that is absolutely necessary for the completion of duties is to be held and processed, and access to personal data is to be limited to those individuals needing the information to perform their job.
The right to be forgotten is also covered under the GDPR. The right to be forgotten entitles the data subject to have their personal data erased, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Under GDPR, individuals must explicitly opt-in to allow personal data to be collected, and children must get consent from a parent or guardian. Additionally, consent must be easy to remove at any time.
GDPR introduces data portability, which is the right for a data subject to receive the personal data concerning them, which they have previously provided in a commonly used, machine-readable format and have the right to transmit that data to another controller.
Is your school prepared? When is the last time your contracts with third-party providers were reviewed? Where is your data stored? What initiates data transmittal? Is your data encrypted? Is it susceptible to being compromised? As the effective date nears, now is the time to check your cybersecurity policies and procedures to ensure your school will be compliant with GDPR before it’s too late.