PHILADELPHIA — U.S. colleges and universities under the impression that new European data-protection laws won’t affect them have been urged to think again.
Speaking at a session on the soon-to-be-enforced European Union General Data Protection Regulation, William Hoye, executive vice president and chief operating officer at nonprofit study abroad organization IES Abroad, warned that the new E.U. rules have “very sharp teeth” and would almost certainly apply to all U.S. higher education institutions.
Failure to comply with the E.U. rules could lead to fines of up to 20 million euros, said Hoye. “That’s around $23,634,000. Do I have your attention yet?” Hoye asked.
The GDPR, which comes into force in May 2018, represents a significant expansion of protection for the personal data of E.U. residents, explained Gian Franco Borio, a lawyer who also spoke at the Educause session.
Unlike the previous E.U. Data Protection Directive, the GDPR will apply not only to organizations with a physical presence in the E.U., but also to any organization worldwide that processes the personal information of E.U. residents. Many U.S. institutions have physical outposts in Europe, but even those that don’t will need to look carefully at the new rules because they interact with faculty, students or prospective students based in the E.U., said Borio.
Any institution that receives admissions from residents in the E.U. will need to process their data according to the stipulations of the GDPR. Additionally, European study abroad programs will certainly be affected. So too will information on alumni or donors based in the E.U., said Borio.
“Every U.S. educational institution, has here and there, somehow, a relationship with Europe,” said Borio. “Your institution will for sure have a relationship with Europe or people based in Europe, therefore you need to be concerned about the new regulation.”
Anticipating questions about the status of Britain, which is a popular destination for American students studying abroad, Borio said that the GDPR would come into force before Britain leaves the E.U. Borio noted that even after the U.K. leaves the E.U., the U.K. is “unlikely to reinvent the data-privacy wheel,” therefore institutions should “consider the U.K. fully a part of GDPR, now and in future.”
The definition of data that are protected under the GDPR is broader than U.S. federal laws for data protection such as the Family Educational Rights and Privacy Act, said speakers at the session. While institutions are used to putting measures in place to protect information such as people’s names and addresses, they will now also need to think about protecting people’s IP addresses. Any unique identifiers assigned to people or their electronic devices by institutions, such as in the admissions process, will also need to be protected under the GDPR.
There are general principles laid out in the GDPR that must be implemented and respected, all of which “have to be translated into some kind of technical measure” said Borio. But the regulation does not say which kind of technical measures are needed. “This is left to the organization itself to determine,” said Borio.
The law will require that data breaches be reported to European national state authorities within 72 hours, said Borio. It also means that E.U. residents retain the right of access to their data, and the right in most cases to have their data removed. “These will be very important, very real constitutional rights,” explained Borio.
Institutions will likely need to designate a data-protection officer, either based in the U.S. or Europe, to be held accountable for these data, said Borio. All institutions must also perform “as soon as possible” an in-house assessment of their data-collection and protection procedures.
Identifying the technical measures needed to comply with the GDPR will be a difficult task for institutions, said Hoye. “But the good news is that you have six months,” he said.
In a discussion of the new rules at Educause, the consensus among attendees seemed to be that it would be prudent to begin to apply the data protections needed to comply with the GDPR to all data the institution works with, regardless of whether the data are coming from people in the E.U. or not.
Writing in the Educause Review in August, Barmak Nassirian, director of federal relations at the American Association of State Colleges and Universities, advised institutions with significant engagement with the E.U. to take “immediate steps to engage in good-faith compliance.”
Nassirian advised that all institutions “should be paying close attention to the evolution of the law’s compliance requirements over the coming years.”
“These requirements, while not conceptually dissimilar to the existing array of U.S. privacy and data-safeguarding statutes and regulations, are decidedly both more rigorous and more high stakes,” said Nassirian.