Whether K-12 or higher education, rural or urban, small or large, education institutions across the United States should be prepared for GDPR — the European Union’s new General Data Protection Regulation — which went into effect May 25.
Many U.S. educators and administrators have heard the acronym by now — and likely received a flurry of “We’ve Updated Our Terms of Service” emails because of it — but don’t think it affects them because they live outside Europe. However, any time an educator communicates with someone living in an EU member country — think a high school exchange student, an applicant for a master’s program, even an expat alumnus or alumna — GDPR applies.
Jaime Tuttle-Santana, a legal and policy analyst in the Information Security Office for the University of California, Davis, in a blog post on EDUCAUSE, described GDPR as a rule “intended to broadly and conclusively provide data privacy and security protection for residents of the EU … [It] is binding on all 28 EU member states and will immediately repeal previous data regulations, including the 1995 EU Data Protection Directive. … Unlike prior laws, the GDPR takes the position that residents of the EU should not be deprived of security and privacy protections solely because a business or organization that targets those residents is located elsewhere.”
In an interview with EdScoop, Tuttle-Santana said several U.S. college and university officials he’s spoken with about GDPR are still wondering whether and how it’s relevant to them.
“I think they will get there, and it’s going to take some time,” he said. “It’s going to require a lot of process change, particularly in overseas admissions.”
He said most of the changes concern privacy requirements. “From a security standpoint, take a look at the information you have — are you protecting it at least to an industry-standard level?”
Tuttle-Santana suggested that the implementation of GDPR actually presents an opportunity for higher education to address privacy protections for all students — not just those living in Europe. “If a university changes its processes to give the same privacy rights to everyone, it wouldn’t matter” whether they’re in Europe or the U.S because the same set of standards would apply across the board, Tuttle-Santana said.
Linnette Attai, founder and president of PlayWell LLC, a consulting firm that guides companies through their compliance responsibilities in the education space, said the same of K-12 education.
“Sometimes because of the nature of GDPR, sometimes because of the work it requires, it could be more efficient to do the work across the board,” she said. “It has some unique requirements, but at its core it’s about the fundamentals of [privacy], just codified into law. There are some areas of GDPR … that if applied across the board strengthen the entire privacy posture” of a school system.
“There’s nothing in GDPR that’s in conflict with existing [U.S.] practices and policies,” Attai added. “It’s complementary, it enhances.”
Whether in higher education or at a local school system, Attai and Tuttle-Santana said GDPR is more about policy than IT processes, and that changes to existing procedures have to be driven by leaders in those spaces.
“As with all privacy regulations, this needs to be driven by the leadership down, and it doesn’t start with IT,” Attai said. “In the K-12 space it starts at the superintendent level, the board [of education] level.… There should be a [privacy compliance officer], and schools should have a data protection officer, but many do not.”
GDPR changes will also affect vendors’ education offerings. Microsoft, for example, announced its compliance with GDPR on May 21. “We are committed to making sure that our products and services comply with GDPR. That’s why we’ve had more than 1,600 engineers across the company working on GDPR projects,” Julie Brill, corporate vice president and deputy general counsel, wrote.
Mike Tholfsen, principal product manager for Microsoft Education, confirmed that Office365 Education offers full GDPR support.
“Colleges and universities that have deployed enterprise cloud services already are finding themselves the best prepared for GDPR compliance,” said Andrew Keating, the managing director for education and healthcare at Box, a cloud storage company. “The IT challenges will vary based on the type of service, and of course the extent to which there is covered information involved.”
Most education institutions are relying on their attorneys to interpret GDPR, but there are limitations to that, Keating said.
“Not many lawyers really understand how data spreads through an environment and the practical issues that are faced by operational teams in ensuring that an effective data protection program is in place that meets the expectations associated with GDPR,” he said. “In practical terms, the process of developing an effective data protection framework is relatively straightforward, but it’s extremely hard to execute without the support of executive management.”
Keating described the typical steps in developing an effective data protection program, such as:
- Understand what data types you have; classify the data in accordance with your classification criteria.
- Determine if there are any specific regulatory obligations associated with those data types, e.g., restrictions on what geographic region that data can be stored or used.
- Determine if your infrastructure and systems that hold the data have an appropriate security and compliance posture that meets your organization’s appetite for risk.
- Take appropriate action as necessary to align your data protection program with your risk profile.
- Understand how the data is being used within your organization and if its usage is congruent with GDPR or other industry-specific requirements.
- If you are using third parties, determine whether you have the necessary legal mechanism in place to authorize the cross-border transfer of data.
- Define and implement your policies for data protection.
- Define and implement an operational process to address process gaps that exist between your current processes and those required within GDPR, such as a process to ensure that the right to be forgotten is enacted within your organization.
- Validate that your IT system architecture and implementation meet the objectives of effective data protection.