E.U. Regulations that are Enforceable Against U.S. Higher Education Institutions
Published by: WCET | 11/27/2017
What do you know about the E.U.’s new General Data Protection Regulation (GDPR)? If you have not read up on this important regulation recently, never fear! Today, Cheryl Dowd, Director of the State Authorization Network, is here to provide background information and the basic components of the GDPR, so you can help your institution review and create processes to be compliant by May 25, 2018.
Thank you, Cheryl!
Enjoy the read,
Does your institution or organization process the personal information of a person residing in a European country that is part of the European Union (EU)?
Does your institution have a distance education program for which your institution has been enrolling students residing in EU countries?
Has your institution received admissions from residents, or have alumni or donors in a country that is part of the EU?
What about European study abroad programs or research partnerships with residents of EU countries?
Did you say yes to any of these questions? If so, you need to read this to help your institution review and create processes to be compliant with the E.U.’s new General Data Protection Regulation (GDPR) by May 25, 2018.
The GDPR aims to protect E.U. citizens from data breaches. We know, from even a casual observation of the news, that data breaches have occurred and are a significant concern for citizens outside the EU. Do the breaches at Equifax, Anthem, Target, and Yahoo ring a bell? Higher education institutions are also ripe for breaches! Institutions in the United States and Canada may be able to benefit in our data protection practices by putting the processes in place necessary to comply with EU regulations.
WCET recently became aware of these EU regulations and their direct connection to our US and Canadian institutions and organizations. Our intent is to keep this simple to get you started. We offer you a little history, basic components, debunked myths, and some direction on steps you might take. Our research is based on four main resources:
The EU GDPR website indicates that the E.U. Parliament approved and adopted the regulations in April 2016, after four years of preparation and debate. The enforcement date is set for May 25, 2018. Noncompliance with the regulations is expected to carry large fines. This regulation replaces the 1995 Data Protection Directive 95/45/EC. The website further explains that the new regulations were created to “protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy.” Lindsay McKenzie from Insider Higher Ed reported in a November 6, 2017 article (E.U. Data Protection Law Looms) that Gian Franco Borio, a lawyer who spoke at a recent Educause session, believes that these new regulations provide a “significant expansion of protection for the personal data of EU residents”. The GDPR will apply to any organization worldwide that processes the personal information of EU residents.
The differences between the new GDPR and the 1995 Data Protection Directive 95/45/EC were reported by Allyssa Provazza in her article, GDPR requirements put end-user data in the spotlight, Computer Weekly.com, November 2, 2017. She indicated that the new regulations mandate that there be tighter requirements and justification for documenting and defining what data an organization processes. Additionally, the new regulations provide more support for the data subject regarding consent by requiring more clarity in language to ensure consent is informed and freely given. Finally, the GDPR was created to have consistent enforcement across all member countries rather than the previous enforcement in each individual EU member state.
Ms. Provazza also suggests that the definition of personal data in Europe is much broader than in the United States. The GDPR additionally includes identifiers such as: biometric data, political opinions, health information, sexual orientation, and trade union membership.
Highlights from the EUGDPR website FAQ’s indicate:
Myths as proposed and debunked by Jimmy Desai in Computer Weekly.com: GDPR: Five Myths You will Encounter in your Compliance Journey, June 2017.
Computer Weekly.com has published many articles and a one-page infographic explaining the GDPR. The infographic (GDPR: The State of Play) offers the seven projects that are to be implemented to comply with the regulations. An important aspect for colleges and universities to note is the statement in the bottom left corner of the infographic referring to organizations that are outside of the E.U.
The Information Commissioner’s Office (ICO), the agency responsible for enforcing GDPR in the UK developed a 12-step check list to prepare for compliance of the GDPR. Institutions may find direction by putting processes in place based on these 12 steps. In a May 2017 ComputerWeekly.com article, Jim Mortleman provided a summary of the ICO 12 steps in his article, GDPR: a quick start guide.
WCET began reporting on cybersecurity earlier in 2017. In February 2017, we offered our first Frontiers blog post, Words can be intimidating: Cybersecurity and Our Role in Higher Education, to introduce the topic area and to engage our institutional members to understand that data and infrastructure protection from breaches is just as important for our institutions as it is in the rest of the business world. Note that regrettable breaches have infiltrated major companies such as Equifax and Target. A follow up article in April 2017, Data Privacy for Institutes of Higher Education (IHE), described recent data breaches in higher education to alert our readers that attackers target IHEs due to the institutions possessing vast amounts of computing power and education’s competing desire to provide open access to resources. Both articles echo the philosophy and goals of the GDPR for institutions and organizations to create comprehensive cybersecurity systems to protect our students, faculty, staff, and donors who entrust the institution and organization with their personal information.
Perhaps these new regulations in the EU will cause our college and university leaders to take notice and embrace a change in culture to create collaborative efforts to address data security. The result would be a comprehensive data protection plan that not only meet the expectations required by the European Union, but also better protect personal information in their care.
Stay tuned as WCET will share more about the GDPR and U.S. data protection guidance and processes as we learn about them! Meanwhile, share this information across your institution!
Director, State Authorization Network