In February 2018, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which regulates the processing of personal data in the EU. The Regulation is wide in scope and applies to higher education organizations, whether they are located inside or outside the EU if they process personal data in the EU or that is sent from the EU.
In many ways, the GDPR was a game changer for data protection in that it extended the scope of the provisions under the Regulation to third-party countries, including the U.S. The Regulation also introduced the ability of national supervisory authorities to levy hefty fines—up to EUR 20 million or 4% of annual global turnover for breaches of some provisions. Failure to comply with the Regulation can therefore be costly. Yet compliance is not a simple matter.
First, the GDPR has a wide scope for the terms ‘personal data’ and ‘processing’, which means that essentially any piece of data that can be linked to a specific individual and any processing operation, including storage, anonymization, and deletion falls under its scope. Once the processing of personal data falls under the GDPR, the Regulation mandates that the processing must be carried out according to the data processing principles. This includes the requirement that all processing must be based on a legal basis, for which there are six options.
It is the responsibility of the processing organization to identify the most appropriate legal basis for processing. In the case of processing of personal data by a higher ed organization, the legal basis is likely to be either consent or legitimate interest. However, the obligations for a processing entity, referred to as a ‘data controller’ or a ‘data processor’ in the legal text, do not end there.
Consent can only be used as a legal basis if the data controller adopts several prescriptive requirements, including giving individuals the right to withdraw consent as easily as it was given. Similarly, the legal basis of legitimate interest can only be used if the data controller undertakes an assessment to mitigate any impact the processing may have on the individual’s fundamental rights and interests. Further, the data controller must inform individuals of their data subject rights, which include the right to access, rectification, erasure, data portability, and in relation to direct marketing, the right to object.
The GDPR also imposes several requirements on the data controller to be able to demonstrate compliance with the Regulation, which may require adaptation or upgrading of an organization’s IT infrastructure. However, determining the need of the system to ensure compatibility with the legal requirements may not be a straightforward task. Thus, gaining expert knowledge of the GDPR requirements can be crucial to ensure robust and adequate measures for an organization.
The Impact of the GDPR on U.S. Higher Ed Organizations
The reason U.S. higher ed organizations must pay attention to the GDPR is found in Article 3 on ‘Territorial Scope’. According to the Article, the GDPR applies “regardless of whether the processing takes place in the Union or not.” The Article goes on to specify that the GDPR covers “processing activities” undertaken by a data controller or processor who is not in the EU in relation to “the offering of goods or services” and “the monitoring of [individual’s] behavior as their behavior takes place within the Union.” In other words, a U.S. higher ed organization that processes personal data gathered from the EU for the purposes of offering a course or collect analytics for a behavioral profile would fall under the remit of the GDPR.
There are several reasons why a U.S. higher ed organizations should seek to comply with the GDPR. First, it is a legal requirement of the EU, and breaches can be a costly affair. Second, compliance sends a signal to students, staff, and affiliated partners that the organization takes data protection, privacy, and data security seriously. Through GDPR compliance, an organization can demonstrate that it meets its obligations to process personal data responsibly. Compliance requires more than ‘marketing promises’ or ‘slogans’; it requires real effort on the ground. As such, the GDPR can be used to incentivize organizations to implement good data processing practices that will stand them in good stead with their U.S. and EU students and staff alike. It is simply the right thing to do.
CITI Program’s GDPR Resources
GDPR for Research and Higher Ed
This course serves as an in-depth review of GDPR, including when and how it may apply, with a detailed framework for compliance with essential parts of the regulation.
Demo Course | View Course Details
GDPR & Human Subject Research in the U.S.
This webinar discusses applicability and compliance requirements in the U.S.
View Webinar Details