E.U. Regulations that are Enforceable Against U.S. Higher Education Institutions

What do you know about the E.U.’s new General Data Protection Regulation (GDPR)? If you have not read up on this important regulation recently, never fear! Today, Cheryl Dowd, Director of the State Authorization Network, is here to provide background information and the basic components of the GDPR, so you can help your institution review and create processes to be compliant by May 25, 2018.

Thank you, Cheryl!

Enjoy the read,

~Lindsey, WCET


Does your institution or organization process the personal information of a person residing in a European country that is part of the European Union (EU)?

Does your institution have a distance education program for which your institution has been enrolling students residing in EU countries?

Has your institution received admissions from residents, or have alumni or donors in a country that is part of the EU?

Countries in the EU

Countries in the E.U. Photo credit: http://www.nationsonline.org/oneworld/first.shtml

What about European study abroad programs or research partnerships with residents of EU countries?

Did you say yes to any of these questions? If so, you need to read this to help your institution review and create processes to be compliant with the E.U.’s new General Data Protection Regulation (GDPR) by May 25, 2018.

The GDPR aims to protect E.U. citizens from data breaches. We know, from even a casual observation of the news, that data breaches have occurred and are a significant concern for citizens outside the EU. Do the breaches at Equifax, Anthem, Target, and Yahoo ring a bell?  Higher education institutions are also ripe for breaches! Institutions in the United States and Canada may be able to benefit in our data protection practices by putting the processes in place necessary to comply with EU regulations.

WCET recently became aware of these EU regulations and their direct connection to our US and Canadian institutions and organizations. Our intent is to keep this simple to get you started. We offer you a little history, basic components, debunked myths, and some direction on steps you might take.  Our research is based on four main resources:

History

The EU GDPR website indicates that the E.U. Parliament approved and adopted the regulations in April 2016, after four years of preparation and debate. The enforcement date is set for May 25, 2018.  Noncompliance with the regulations is expected to carry large fines. This regulation replaces the 1995 Data Protection Directive 95/45/EC. The website further explains that the new regulations were created to “protect and empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy.” EU FlagLindsay McKenzie from Insider Higher Ed reported in a November 6, 2017 article (E.U. Data Protection Law Looms) that Gian Franco Borio, a lawyer who spoke at a recent Educause session, believes that these new regulations provide a “significant expansion of protection for the personal data of EU residents”. The GDPR will apply to any organization worldwide that processes the personal information of EU residents.

The differences between the new GDPR and the 1995 Data Protection Directive 95/45/EC were reported by Allyssa Provazza in her article, GDPR requirements put end-user data in the spotlight, Computer Weekly.com, November 2, 2017. She indicated that the new regulations mandate that there be tighter requirements and justification for documenting and defining what data an organization processes. Additionally, the new regulations provide more support for the data subject regarding consent by requiring more clarity in language to ensure consent is informed and freely given. Finally, the GDPR was created to have consistent enforcement across all member countries rather than the previous enforcement in each individual EU member state.

Ms. Provazza also suggests that the definition of personal data in Europe is much broader than in the United States. The  GDPR additionally includes identifiers such as:  biometric data, political opinions, health information, sexual orientation, and trade union membership.

Basic Components

Highlights from the EUGDPR website FAQ’s indicate:

  1. Who Does the GDPR Affect? All organizations (including institutions) that offer goods or services or that processes and holds the personal data of subjects residing in the EU, regardless of the location of the organization. The Data Processor and Data Controller will be held responsible.
  2. What Are the Penalties for Non-Compliance? The maximum fine is up to 4% of the annual global turnover for breaching GDPR or €20 million.  I don’t know what 4% of annual global turnover is, but as of today, €20,000,000 equals $23,334,642.23. Note that there is a tiered approach to fines based on the degree of the infraction.
  3. What is Personal Data? The information related to the person that could directly or indirectly identify the person. The examples include: name, email, IP address, photo, bank details, etc.
  4. Definition of Data Processor and Data Controller: The controller is the person/entity that determines the purpose, conditions, and means for processing the personal data. The Processor is the person/entity that processes the personal data on behalf of the controller.
  5. What is Required?
    • Records must be kept in order per the regulations.
    • Breach notification protocols must be observed including notification to the supervising authority and data subject.
    • Consent to obtain personal information must be intelligible and in easily accessible form as well as easy to withdraw consent.
    • A Data Protection Officer (DPO) must be appointed if the organization (institution) is a public authority, organization that engages in large scale systematic monitoring, or organization that engages is large scale processing of sensitive personal data.

 Myths as proposed and debunked by Jimmy Desai in Computer Weekly.com:  GDPR:  Five Myths You will Encounter in your Compliance Journey, June 2017.

  1. It is just about hacking. Desai explains that GDPR also offers data subjects the ability to have easier access to their personal information held by the organization.
  2. It is about avoiding fines. It is posed that GDPR seeks to avoid data breaches and the notifications that would be required. This devastating event of a data breach and required notification could cause loss of large numbers of customers and a debilitating impact on the organization’s reputation and finances. The fines would be a later concern beyond these crippling issues.
  3. It is just an IT problem. This is a common response to cyber or data problems. However, it is suggested in this article that GDPR is actually a cultural change for the organization (institution) to create a team approach of different departments to determine how personal data is used, stored, acquired, passed to others, etc.
  4. GDPR compliance is a job for the IT director. A Data Protection Officer (DPO) will be mandatory for some organizations (institutions). The organization may wish to consider that appointing the IT person as the DPO could be a conflict of interest. The conflict would arise if the IT Director is the person who processes the personal data. That person cannot be responsible for signing off on GDPR compliance regarding the processing of the data.
  5. Compliance can be achieved quickly. The team effort required to evaluate how the organization (institution) processes data will be time consuming and complicated with the variety of team players. Mr. Desai suggests that this work should include departments such as marketing, IT, finance, HR, and Legal. For higher education institutions, there will be the need to also include staff from the advising and academic departments.

Direction for Institutions and Organizations

Computer Weekly.com has published many articles and a one-page infographic explaining the GDPR. The infographic (GDPR:  The State of Play)  offers the seven projects that are to be implemented to comply with the regulations. An important aspect for colleges and universities to note is the statement in the bottom left corner of the infographic referring to organizations that are outside of the E.U.

The Information Commissioner’s Office (ICO), the agency responsible for enforcing GDPR in the UK developed a 12-step check list to prepare for compliance of the GDPR.  Institutions may find direction by putting processes in place based on these 12 steps. In a May 2017 ComputerWeekly.com article, Jim Mortleman provided a summary of the ICO 12 steps in his article, GDPR:  a quick start guide.

Summary of ICO 12 Step Check List to GDPR compliance provided by GDPR: a quick start guide. Ensure senior/key people are aware of GDPR and appreciate its impact. Document any personal data you hold, where it came from, and who you share it with. Conduct an information audit if needed. Review your privacy notices and plan for necessary changes before GDPR comes into force. Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format. Plan how you will handle subject access requests within the new timescales and provide any additional information. Identify and document your legal basis for the various types of personal data processing you do. Review how you seek, obtain, and record consent. Do you need to make any changes? Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity. Make sure you have the right procedures in place to detect, report and investigate a personal data breach. Adopt a “privacy by design” and “data minimization” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments. Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organization’s structure/governance arrangements. If you operate internationally, determine which data protection supervisory authority you come under. For more detail on each of these 12 steps, refer to the ICO guidelines.  

WCET began reporting on cybersecurity earlier in 2017. In February 2017, we offered our first Frontiers blog post, Words can be intimidating: Cybersecurity and Our Role in Higher Education, to introduce the topic area and to engage our institutional members to understand that data and infrastructure protection from breaches is just as important for our institutions as it is in the rest of the business world. Note that regrettable breaches have infiltrated major companies such as Equifax and Target.  A follow up article in April 2017, Data Privacy for Institutes of Higher Education (IHE), described recent data breaches in higher education to alert our readers that attackers target IHEs due to the institutions possessing vast amounts of computing power and education’s competing desire to provide open access to resources. Both articles echo the philosophy and goals of the GDPR for institutions and organizations to create comprehensive cybersecurity systems to protect our students, faculty, staff, and donors who entrust the institution and organization with their personal information.

Perhaps these new regulations in the EU will cause our college and university leaders to take notice and embrace a change in culture to create collaborative efforts to address data security. The result would be a comprehensive data protection plan that not only meet the expectations required by the European Union, but also better protect personal information in their care.

Stay tuned as WCET will share more about the GDPR and U.S. data protection guidance and processes as we learn about them! Meanwhile, share this information across your institution!

Cheryl Dowd

 

Cheryl Dowd
Director, State Authorization Network
WCET


CC Logo

 

3 Comments

  1. Cheryl Dowd
    Posted November 28, 2017 at 7:37 pm | Permalink | Reply

    Thank you for your interest in the article. You have asked a very good question. I understand your inquiry about how or if GDPR applies to a US citizen who is temporarily residing in an EU country and/or more specifically whether there a difference if they are military or dependents who have been deployed to the EU country. Unfortunately, I have not read anything that references this issue. I do anticipate that we will follow up on this topic as we obtain more information. I will investigate this issue specifically.
    Thank you for your inquiry! I hope to offer more soon!

    Cheryl Dowd

  2. Posted November 28, 2017 at 9:32 am | Permalink | Reply

    Excellent article, Cheryl. I note the source documents use the term “EU citizens.” Not to downplay consumer privacy/protection, I wonder the applicability for US citizens, specifically US military/military-related persons residing in the EU as part of their assignments.

    Have you run across any references that can help guide those of us who work with deployed military and family members?

    Thanks!

  3. Posted November 27, 2017 at 9:25 am | Permalink | Reply

    Thank you for a wonderful post today Cheryl!

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: