Effective May 25, 2018, the European General Data Protection Regulation (“GDPR”) imposes new obligations on persons or entities that are “controllers” or “processors” of “personal data”1 about people in the European Union (“EU”). Unlike U.S. or even existing European privacy laws, the GDPR (i) can apply to entities that are located entirely outside of the EU, and (ii) applies to “personal data” about anyone in the EU, regardless of whether they are a citizen or permanent resident of a country in the EU (each country is a “Member”2).
Institutions in violation of the GDPR could face significant fines. Depending on the nature of the violation, an institution in violation of the GDPR could be fined up to €20,000,000 (which amounts to over US $24,000,000) or up to 4 percent of a company’s global revenue, whichever is higher. There is some uncertainty with regard to the methodology that will be used to calculate global revenue for U.S. colleges and universities, but it is unlikely that substantive further guidance will be available on the subject before the GDPR becomes effective in May 2018.
Read More >> <p>Is Your Institution in Control of “GDPR” Compliance? - Higher Education Law Report</p>