Written by: Julia Funaki, Associate Director, AACRAO International
The European Union General Data Protection (EU GDPR) Regulation will be implemented May 25, 2018. Is your organization ready?
Disclaimer: The information contained in this article is not legal advice and reflects only the opinion of the author.
If you have a legal issue related to EU Privacy or Data Protection, please contact a licensed attorney for guidance specific to your situation.
Adopted by the European Parliament in April 2016, GDPR will become enforceable in May 2018. It applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organization is located within the EU. The EU GDPR is a transformative piece of privacy legislation. It replaces the previous Data Directive dating from 1995. Much has changed since then and, based on the transformative prevalence of data and cyber threats, it is probably time to think about an overhaul. Nonetheless, this is new territory for those of us on the receiving end of the regulation.
GDPR has been in the works since 2009. It was introduced to specify how consumer data is to be used and protected. The goal is to unify data protection laws across EU member states, with expanded reach and improved protection and regulation to keep pace with modern technology. The EU GDPR is a transformative piece of privacy legislation and applies in all 28 Member States of the European Union. Additionally, each member state may also have additional data requirements, but the requirements of GDPR will be the baseline.
There are several aspects to GDPR that are game changers. The first is that the regulation applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organization is located within the EU. This falls under the article of Territorial Scope. (Article 3)
Data and Privacy rights and regulations are not new. What has changed is the amount of data. This has changed exponentially in the over two decades since the European Data Directive of 1995. Given the mushrooming of data, data leaks, and cyber-crime, this regulation is an attempt to ensure the privacy rights of EU natural persons.
Views of personal privacy are culturally influenced. In Europe, privacy is seen as a fundamental human right not easily bargained away. From the US culture, the idea of personal privacy is understood as one we need to take care to insure, but also one that may be traded. In many ways, it is a consumer right. For instance, I may be happy to provide a company with my name, date of birth, and possibly other data provided it will facilitate a product, service, or information that I may want to access. I am trading some of my privacy for convenience, access, or some other tangible or intangible commodity.
The rights of natural persons of the European Union are outline in the regulation. These rights are broad, and a full review should be made by your organization.
The obligations of an organization will be linked to whether an organization and/or its components are Controllers or Processors of Data. The compliance obligation is on the organization and not the individual. Controllers will have more legal obligations under GDPR, whereas processors will have some legal requirements but most obligations will be contractual. It is important to note however, that an entity may be a controller at one point or in one process, but become a processor in another.
GDPR defines these roles as –
Controller: Natural or legal person, Alone or jointly with others, Determine the purposes and means of the processing
Processor: Natural or legal person, Processes personal data on behalf of the controller
The objective view from a zoomed out perspective is that GDPR calls us to look at our organization and our processes and at the data we collect and retain. I would like to propose that rather than thinking of GDPR as a burden, we consider it an opportunity to update our operations for the 21st century. Think of it as an opportunity to thoroughly catalogue and reorganize, retaining only what is needed.
Some have questioned the need to comply with EU regulation, and wondered whether the EU’s reach to enforce would actually be upheld. Time will give us more answers, but for now, the Regulation has sharp teeth in the form of fines. These penalties represent a dramatic increase. “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”
https://www.eugdpr.org/key-changes.html
GDPR is coming and is just one of the multinational and national privacy regulations in the works and implemented. There are many questions and uncertainties. The best we can do is to prepare by becoming risk-averse. Clarity will come with implementation and enforcement. This will require legal expertise to interpret the regulation as well as system-wide cooperation and collaboration.
The American Association of Collegiate Registrars and Admissions Officers (AACRAO) have been working to assist their members with understanding GDPR and its impact on their institutions. AACRAO has convened an informal working group with members from NAFSA: Association of International Educators, the Council for the Advancement and Support of Education (CASE), EDUCAUSE, the University of Indiana Bloomington, the National Association of College and University Attorneys (NACUA), and the National Student Clearinghouse. AACRAO is also posting a series of Frequently Asked Questions on their website. Visit AACRAO’s Trending Topics page for videos, webinars, and documents for more information on GDPR. http://www.aacrao.org/resources/trending-topics/gdpr
EU General Data Protection Regulation full text
Inside this edition:
President’s Welcome -January 2018 Newsletter
Committee Updates -January 2018 Newsletter
Organizational Structure Updates -January 2018 Newsletter
TAICEP Meet Your 2018-2019 Leadership Team -January 2018 Newsletter
Indian Diploma Programmes Awarded by State Boards for Technical Education -January 2018 Newsletter
Brief Primer on the American Territories -January 2018 Newsletter
Cambridge Advanced Coursework: An Introduction -January 2018 Newsletter
Secondary Credential Overview- Part I -January 2018 Newsletter
Building a Resource Library, Part III -January 2018 Newsletter
Memoriam to David Millar -January 2018 Newsletter
TAICEP News -January 2018 Newsletter
Add to your Library -January 2018 Newsletter
Recent TAICEP Events January 2018 Newsletter
Upcoming TAICEP Events -January 2018 Newsletter
From the TAICEP Website -January 2018 Newsletter
Notes from the Field -January 2018 Newsletter