Regulatory Alert: EU Data Privacy Regulations Effective May 25, 2018

New data privacy protections from the European Union are set to go into effect May 25, 2018. Colleges and universities that have an extension program in one of the 28 member nations of the EU, recruit students that are citizens of the EU, or offer distance education courses that have EU citizens enrolled, will be impacted by the new regulations.   The General Data Protection Regulation (GDPR) is broad and provides blanket data privacy protections to all EU citizens and reshapes how data is collected and used by organizations. This is in contrast to the US, which has a variety of privacy laws that are specific to a sector (like FERPA for education, HIPAA for healthcare, etc.,) rather than a singular, overarching law. The EU adopted the GDPR in April 2016, with an effective date of May 25, 2018. GDPR major requirements include seven areas:  

Consent: Consent form language must be easily understood and include an easy process for customer to withdraw consent.  

Breach Notification: Customers must be notified of any risk to personal information within 72 hours of discovery.

Right to Access: Customers must have access to an electronic copy of their personal stored data.

Right to be Forgotten: Customers have the right to request their information, if no longer relevant, be completely removed from an institution's database.

Data portability: Customers have the right to use their obtained personal data for individual use.

Privacy by Design: Data protection must be built into all systems at implementation.  

Data Protection Officers: A professionally qualified officer must be appointed, in public organizations with over 250 employees, to monitor the processing and storage of personal data.  

The fine for a non-compliance finding is substantial. Tier 1 violations’ fees can be up to 2% of global revenue or €10 million, whichever is higher; Tier 2 fees can be up to 4% of global revenue or €20 million, whichever is higher.

If a campus has not done so, MICU strongly advises member institutions to:  

1.     Determine exposure to the GDPR. American students studying abroad or even at your extension campus in an EU member state; EU citizens studying at the extension campus or at the US campus; faculty and administrators that are EU citizens; alumni that have been approached for development purposes; and EU citizens taking distance education courses qualify for these new protections.

2.     Review the regulation and your responsibilities, including the required disclosures and interactions with an EU nation’s supervisory authority. The regulation establishes that privacy is a fundamental right and stresses personal consent as a requirement to the collection and use of personal data, so the approach your campus takes on collecting information (and asking for consent) may have to change. A supervisory authority is established in each of the EU nations to receive complaints, work with organizations on ensuring compliance, and investigate claims.  

List of resources:

Carl Winans