U.S. Colleges and Universities - Are You Ready for the GDPR?
Why You Should Be Taking Steps Toward GDPR Compliance Right Now
April 15, 2018
As described in our initial client alert (See: Is Your Institution in Control of “GDPR” Compliance?), effective May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) imposes new obligations on entities that collect and/or process “personal data” from people in the European Union (“EU”). U.S. higher education institutions (“HEIs”) that collect personal data from any person located within the EU (**regardless of the HEI’s location or the person’s citizenship or residency**), will likely need to comply with the GDPR. Any HEI in violation of GDPR requirements may be subject to significant fines.
What does this mean for HEIs? It means now is a perfect time to review and revise existing privacy and security policies, and any data collection procedures. As entities that routinely collect personal data of students, faculty, and staff, HEIs are in a unique position when it comes to the new GDPR requirements. The GDPR imposes restrictions on the (i) manner in which personal data may be collected, (ii) use and maintenance of data, and (iii) ability to collect certain items of personal data without specific consent. Consequently, HEIs likely will need to reform many aspects of existing data collection and retention procedures to become compliant with the GDPR. The extent of these reforms will be dependent on the scope of personal data collection an HEI maintains.
The Time to Begin Is Now
GDPR compliance seems daunting for many HEIs, particularly as it is not yet clear exactly how certain aspects of the GDPR will pertain to HEIs. However, affirmative steps towards GDPR compliance (and more importantly overall data hygiene) can be taken with minimal effort. Privacy and security of personal data is of the utmost importance now more than ever, and several easy-to-accomplish GDPR action items can help HEIs protect themselves from liability. Some of these action items include:
- Conduct a Data Audit
- Does your institution know what data it is collecting and from whom?
- Does your institution know where and how that data is stored?
- Identify Contact with the EU
- Do you maintain study abroad programs, hire faculty, recruit students, offer on-line courses to, or accept applications from, people located within the EU?
- Do you understand the scope of your involvement with EU member states?
- Policy Review
- What policies do you have in place for data collection? Do these existing privacy policies need to be revised generally and for GDPR compliance?
- Do your faculty and staff know of and understand these policies?
- Are you prepared for a data security breach?
- Website Content Review
- Does your website need to include GDPR notices and/or consent mechanisms?
- Do you know what data your website collects/stores/uses?
- Contract Review
- Do you have contracts with vendors or third party service providers (including cloud based service providers) that might collect and/or process personal data on your behalf?
- Do these contracts need revision to incorporate GDPR provisions?
The time to take action is now. Although compliance with the GDPR will be an evolving process, HEIs can take certain steps that will benefit their institutions, not only with respect to future GDPR compliance, but also with overall data protection.
To find out other easy-to-accomplish action items and how Bond, Schoeneck & King, PLLC can help your institution with GDPR compliance issues, please contact Sara Temes.
Bond, Schoeneck & King and Annese & Associates will be hosting a webinar regarding GDPR compliance for HEIs on April 27 at 10AM. If you would like to be receive an invitation or would like to receive further information regarding GDPR compliance please contact Sara Temes.