Blog Viewer

Schools Scramble to Comply with EU Privacy Law

By Net Assets posted 04-20-2018 02:47 PM

  
iStock-683988510.jpg

Technology |

Technical staff at many independent schools are working hard to meet the May 26 deadline for compliance with the General Data Protection Regulation (GDPR), a European Union law that regulates the way organizations handle personal data. Because the required changes can impact business processes for U.S.-based schools, all business officers should know about the law. “This is not just an IT matter, but a broader privacy and business operations issue that school administrators should review," said Grace Lee, vice president, legal affairs at NBOA. Fines can run up to 4 percent of an organization’s global revenue or 20 million euros, whichever is higher.

Schools must adhere to the GDPR if they collect data on anyone who resides in the EU — not just citizens, but also residents — including students, parents, prospectives, alumni and staff. Once EU citizens arrive in the U.S., however, U.S. data laws apply.

The GDPR addresses collection, storage, processing and disposal of personal data as well as security breaches that put data at risk. The law’s definition of personal data is broad; it “can be anything from a name, a photo, an email address, posts on social networking websites, medical information, or even a computer IP address,” according to Debra Wilson, general counsel, and Whitney Silverman, staff attorney at NAIS, in a recent NAIS legal advisory (password-protected for NAIS members). Sensitive information, regarding racial or ethnic origin or sexual orientation, for example, is subject to additional regulation.

The law is complicated, but essentially it requires organizations to demonstrate their compliance with the following standards when collecting and using personal data involving people in the EU:

  • Be fair and transparent.
  • Have specific, legitimate purposes.
  • Ensure data is accurate.
  • Protect collected data from unauthorized use.
  • Allow individuals to “opt in” to data collection, rather than automatically collecting the data and requiring individuals to opt out.

The GDPR also stipulates a number of individual rights, including:

  • Transparent privacy notices
  • Access to data collected about them
  • Control of how the data is processed
  • Right to be “forgotten,” i.e., have an organization erase all data regarding them.

Schools can comply by having a lawful basis for the personal data they collect, providing transparent privacy policies, actively communicating with individuals about how they will gather and use personal data, and responding in a timely manner to complaints and requests, according to the NAIS legal team.  

Schools are advised to consult their legal counsel and software providers for further information and to assess their compliance with the GDPR.

Sign in to leave a comment