On May 25, 2018, the European Union will begin enforcing the General Data Protection Regulation (GDPR), which enacts strict standards for the handling, retaining, and processing of the personal data of any individual located in the EU. The GDPR standards apply to businesses and organizations around the world, including in the United States, if they are handling any such data. In today’s global economy with American colleges and universities seeking opportunities worldwide, the GDPR’s broad application will have a substantial impact upon U.S. higher education institutions. The EU has set severe penalties for some failures to comply with the GDPR: up to 4% of a business’ global turnover, or 20 million Euros, whichever is higher.
If that potential fine has grabbed your attention, you may be wondering whether the GDPR applies to you. Here are three questions to consider:
If you answered “yes” to any of those questions, then you should take steps to ensure that your institution complies with the GDPR.
Under the GDPR, provisions protecting data, and those requiring consent, access, rectification, breach notification, and the “right to be forgotten” are comprehensive and universal. In most instances, these are broader than American laws. Also, unlike the Family Educational Rights and Privacy Act and Health Insurance Portability and Accountability Act, the GDPR is not limited to certain types of data or industry sectors.
If your institution is subject to the GDPR, you should have a plan in place to ensure compliance. If you have questions regarding whether the GDPR applies to you, or whether you potentially could be in violation, you should consider contacting an attorney who can evaluate how the GDPR practically impacts your institution. The Cybersecurity and Higher Education Teams at Steptoe & Johnson PLLC can help you determine what factors you need to consider and what steps you need to take to meet the high standards established by this new European regulation.