How much effort should US higher education institutions spend on the EU General Data Protection Regulation (GDPR)?
Last week I was invited by EDUCAUSE to present a webinar on the General Data Protection Regulation (GDPR) to an audience of mostly US and Canadian colleges and universities. Several hundred people signed up, but the obvious question was why should they care about the European law? Looking at the current situation in Europe, I see three main drivers:
- Regulators
- Partners
- Applicants/students
Which, if any, of these apply will depend on the kinds of interactions those education organizations have with people on the eastern side of the Atlantic.
Regulators: In the UK, there appear to be three main areas where regulators have taken action under existing European data protection law — security breaches, junk mail, and research. Losing personal data of large numbers of Europeans, bombarding them with electronic messages, or using them as involuntary research subjects is a good way to catch regulators' attention. Regulators' powers extend much more widely than this, but they don't seem to have been using them to any great extent. Obviously if a college or university has a physical presence in Europe, that institution needs to behave according to the relevant national laws.
Partners: A series of court cases challenging the legal provisions for exporting personal data — to the US in particular — has raised concerns at organizations that send personal data to overseas partners. US education institutions don't appear to be eligible for the US-EU Safe Harbor, so if you are setting up formal arrangements involving transfers of data, expect to be asked to include the relevant EU Model Contractual Clauses. For informal transfers, the existing provision allowing data exporters to self-assess the risk to individuals will be removed on May 25, so the new provision allowing exports to be based on legitimate interests seems likely to be the most appropriate. I've recently written blog posts on how that might work for incident response and federated access management. The key points with this approach are to ensure that any personal data are minimized and that the transfer is clearly to the benefit of the exporting organization and, where possible, to the individual as well.
Applicants/students: Publicity over the GDPR and court cases means that all organizations are likely to get a lot more questions about how they handle personal data. Those without clear privacy policies will likely need to work particularly hard to reassure potential customers. Many US educational organizations should have a good basis for this in FERPA, which regulates the handling of educational records — when I, as a European, looked at FERPA in 2011, it turned out to be surprisingly familiar. The major difference is in the definition of "personal data." FERPA appears to contain a wide exemption for "directory information" that could alarm Europeans who do not expect their digital and physical addresses to be widely disseminated. US organizations trying to attract Europeans should probably be cautious about exercising those legal rights.
North American higher education institutions are already subject to a number of different privacy and security regulations. Unfortunately, there's no one-size-fits-all answer to how much more effort they should spend on GDPR — it very much depends on the quantity, nature, and context of the personal data that an individual institution processes about people in Europe. An institution with a large population of students from EU countries, or that has a strong study abroad program sending students to the EU for educational experiences, will have a different risk footprint from an institution with only a few students from the EU.
To determine their own position, US higher education institutions should pull together interested stakeholders, such as general counsel, admissions officers, study abroad officers, business officers, and IT personnel to truly understand the institution's data-gathering efforts, especially when those efforts collect data from individuals located in the EU. The scope and the magnitude of those data-gathering efforts must be understood. Only then can the institution properly understand its potential risk of noncompliance with GDPR within the context of other US security and privacy regulations that it must follow.
EDUCAUSE maintains a web page devoted to the EU General Data Protection Regulation (GDPR), featuring links to a growing list of resources from numerous organizations to help colleges and universities understand the new regulation and its implications.
Andrew Cormack is Chief Regulatory Adviser at Jisc Technologies.
© 2018 Jisc. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.