What do you know about the E.U.’s new General Data Protection Regulation (GDPR)? If you have not read up on this important regulation recently, never fear! Today, Cheryl Dowd, Director of the State Authorization Network, is here to provide background information and the basic components of the GDPR, so you can help your institution review and create processes to be compliant by May 25, 2018.
Thank you, Cheryl!
Enjoy the read,
Does your institution or organization process the personal information of a person residing in a European country that is part of the European Union (EU)?
Does your institution have a distance education program for which your institution has been enrolling students residing in EU countries?
Has your institution received admissions from residents, or have alumni or donors in a country that is part of the EU?
What about European study abroad programs or research partnerships with residents of EU countries?
Did you say yes to any of these questions? If so, you need to read this to help your institution review and create processes to be compliant with the E.U.’s new General Data Protection Regulation (GDPR) by May 25, 2018.
The GDPR aims to protect E.U. citizens from data breaches. We know, from even a casual observation of the news, that data breaches have occurred and are a significant concern for citizens outside the EU. Do the breaches at Equifax, Anthem, Target, and Yahoo ring a bell? Higher education institutions are also ripe for breaches! Institutions in the United States and Canada may be able to benefit in our data protection practices by putting the processes in place necessary to comply with EU regulations.
WCET recently became aware of these EU regulations and their direct connection to our US and Canadian institutions and organizations. Our intent is to keep this simple to get you started. We offer you a little history, basic components, debunked myths, and some direction on steps you might take. Our research is based on four main resources:
- EUGDPR website
- Computer Weekly.com
- Inside Higher Ed. Article: U. Data-Protection Law Looms
- Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to take now
The EU GDPR website indicates that the E.U. Parliament approved and adopted the regulations in April 2016, after four years of preparation and debate. The enforcement date is set for May 25, 2018. Noncompliance with the regulations is expected to carry large fines. This regulation replaces the 1995 Data Protection Directive 95/45/EC. The website further explains that the new regulations were created to “protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy.” Lindsay McKenzie from Insider Higher Ed reported in a November 6, 2017 article (E.U. Data Protection Law Looms) that Gian Franco Borio, a lawyer who spoke at a recent Educause session, believes that these new regulations provide a “significant expansion of protection for the personal data of EU residents”. The GDPR will apply to any organization worldwide that processes the personal information of EU residents.
The differences between the new GDPR and the 1995 Data Protection Directive 95/45/EC were reported by Allyssa Provazza in her article, GDPR requirements put end-user data in the spotlight, Computer Weekly.com, November 2, 2017. She indicated that the new regulations mandate that there be tighter requirements and justification for documenting and defining what data an organization processes. Additionally, the new regulations provide more support for the data subject regarding consent by requiring more clarity in language to ensure consent is informed and freely given. Finally, the GDPR was created to have consistent enforcement across all member countries rather than the previous enforcement in each individual EU member state.
Ms. Provazza also suggests that the definition of personal data in Europe is much broader than in the United States. The GDPR additionally includes identifiers such as: biometric data, political opinions, health information, sexual orientation, and trade union membership.
Highlights from the EUGDPR website FAQ’s indicate:
- Who Does the GDPR Affect? All organizations (including institutions) that offer goods or services or that processes and holds the personal data of subjects residing in the EU, regardless of the location of the organization. The Data Processor and Data Controller will be held responsible.
- What Are the Penalties for Non-Compliance? The maximum fine is up to 4% of the annual global turnover for breaching GDPR or €20 million. I don’t know what 4% of annual global turnover is, but as of today, €20,000,000 equals $23,334,642.23. Note that there is a tiered approach to fines based on the degree of the infraction.
- What is Personal Data? The information related to the person that could directly or indirectly identify the person. The examples include: name, email, IP address, photo, bank details, etc.
- Definition of Data Processor and Data Controller: The controller is the person/entity that determines the purpose, conditions, and means for processing the personal data. The Processor is the person/entity that processes the personal data on behalf of the controller.
- What is Required?
- Records must be kept in order per the regulations.
- Breach notification protocols must be observed including notification to the supervising authority and data subject.
- Consent to obtain personal information must be intelligible and in easily accessible form as well as easy to withdraw consent.
- A Data Protection Officer (DPO) must be appointed if the organization (institution) is a public authority, organization that engages in large scale systematic monitoring, or organization that engages is large scale processing of sensitive personal data.
Myths as proposed and debunked by Jimmy Desai in Computer Weekly.com: GDPR: Five Myths You will Encounter in your Compliance Journey, June 2017.
- It is just about hacking. Desai explains that GDPR also offers data subjects the ability to have easier access to their personal information held by the organization.
- It is about avoiding fines. It is posed that GDPR seeks to avoid data breaches and the notifications that would be required. This devastating event of a data breach and required notification could cause loss of large numbers of customers and a debilitating impact on the organization’s reputation and finances. The fines would be a later concern beyond these crippling issues.
- It is just an IT problem. This is a common response to cyber or data problems. However, it is suggested in this article that GDPR is actually a cultural change for the organization (institution) to create a team approach of different departments to determine how personal data is used, stored, acquired, passed to others, etc.
- GDPR compliance is a job for the IT director. A Data Protection Officer (DPO) will be mandatory for some organizations (institutions). The organization may wish to consider that appointing the IT person as the DPO could be a conflict of interest. The conflict would arise if the IT Director is the person who processes the personal data. That person cannot be responsible for signing off on GDPR compliance regarding the processing of the data.
- Compliance can be achieved quickly. The team effort required to evaluate how the organization (institution) processes data will be time consuming and complicated with the variety of team players. Mr. Desai suggests that this work should include departments such as marketing, IT, finance, HR, and Legal. For higher education institutions, there will be the need to also include staff from the advising and academic departments.
Direction for Institutions and Organizations
Computer Weekly.com has published many articles and a one-page infographic explaining the GDPR. The infographic (GDPR: The State of Play) offers the seven projects that are to be implemented to comply with the regulations. An important aspect for colleges and universities to note is the statement in the bottom left corner of the infographic referring to organizations that are outside of the E.U.
The Information Commissioner’s Office (ICO), the agency responsible for enforcing GDPR in the UK developed a 12-step check list to prepare for compliance of the GDPR. Institutions may find direction by putting processes in place based on these 12 steps. In a May 2017 ComputerWeekly.com article, Jim Mortleman provided a summary of the ICO 12 steps in his article, GDPR: a quick start guide.
WCET began reporting on cybersecurity earlier in 2017. In February 2017, we offered our first Frontiers blog post, Words can be intimidating: Cybersecurity and Our Role in Higher Education, to introduce the topic area and to engage our institutional members to understand that data and infrastructure protection from breaches is just as important for our institutions as it is in the rest of the business world. Note that regrettable breaches have infiltrated major companies such as Equifax and Target. A follow up article in April 2017, Data Privacy for Institutes of Higher Education (IHE), described recent data breaches in higher education to alert our readers that attackers target IHEs due to the institutions possessing vast amounts of computing power and education’s competing desire to provide open access to resources. Both articles echo the philosophy and goals of the GDPR for institutions and organizations to create comprehensive cybersecurity systems to protect our students, faculty, staff, and donors who entrust the institution and organization with their personal information.
Perhaps these new regulations in the EU will cause our college and university leaders to take notice and embrace a change in culture to create collaborative efforts to address data security. The result would be a comprehensive data protection plan that not only meet the expectations required by the European Union, but also better protect personal information in their care.
Stay tuned as WCET will share more about the GDPR and U.S. data protection guidance and processes as we learn about them! Meanwhile, share this information across your institution!
Director, State Authorization Network