In April 2016, the European Parliament and European Council approved the General Data Protection Regulation (GDPR); the rule takes effect beginning May 25, 2018. Intended to strengthen and unify data protection across the European Union (EU), GDPR includes specific provisions for the handling of personal data exported outside the EU, imposes heavier sanctions for noncompliance, and more.
Any institution that processes and/or maintains data of students or citizens of the EU is subject to these regulations. It is critical for institutions to document what personal data is held by the institution, how and why the information is collected, who has access, and when it will be deleted.
Institutions must be able to demonstrate compliance with the following six principles:
- Lawfulness, fairness, and transparency in the processing of personal data.
- Purpose limitation. Personal data obtained for specified, explicit, and legitimate purposes and not further processed in a manner that is compatible with those purposes.
- Data minimization. Data processed is adequate, relevant, and limited to what is necessary.
- Accuracy. Personal data is accurate and, where necessary, kept up to date.
- Storage limitation. Personal data is not kept longer than necessary. However, data aggregated for archiving and research purposes can be kept longer, always subject to safeguards.
- Integrity and confidentiality. Adequate technical and organizational measures must be in place to guard against unauthorized or unlawful processing, laws, damage, or destruction.
In order to ensure compliance, institutions are encouraged to:
- Consult your institution’s legal team to ensure steps toward compliance are being taken.
- Assemble a GDPR implementation task force.
- Maintain all records and documentation of implementation strategies.
- Conduct an audit of what personal data the institution maintains, how it is used, and to whom it is disclosed.
- Use the results of your audit to identify which services may present most risk and focus on mitigating those.
- Review and update student and staff privacy notices to reflect the new transparency requirements of the GDPR.
- Assemble training materials to raise staff awareness of compliance requirements.
For additional information visit:
- American Association of Collegiate Registrars and Admissions Officers (AACRAO), EU GDPR Guidance
- EDUCAUSE, The General Data Protection Regulation Explained
- Jisc, Data protection guidance
- Jisc, Preparing for the General Data Protection Regulation (GDPR) for higher education institutions
- Information Commissioner's Office, Preparing for the General Data Protection (GDPR)
- EU GDPR, GDPR Portal
Expand / Collapse All