Technical staff at many independent schools are working hard to meet the May 26 deadline for compliance with the General Data Protection Regulation (GDPR), a European Union law that regulates the way organizations handle personal data. Because the required changes can impact business processes for U.S.-based schools, all business officers should know about the law. “This is not just an IT matter, but a broader privacy and business operations issue that school administrators should review," said Grace Lee, vice president, legal affairs at NBOA. Fines can run up to 4 percent of an organization’s global revenue or 20 million euros, whichever is higher.
Schools must adhere to the GDPR if they collect data on anyone who resides in the EU — not just citizens, but also residents — including students, parents, prospectives, alumni and staff. Once EU citizens arrive in the U.S., however, U.S. data laws apply.
Related content: Risk & Compliance: Cybersecurity and Master Planning
The GDPR addresses collection, storage, processing and disposal of personal data as well as security breaches that put data at risk. The law’s definition of personal data is broad; it “can be anything from a name, a photo, an email address, posts on social networking websites, medical information, or even a computer IP address,” according to Debra Wilson, general counsel, and Whitney Silverman, staff attorney at NAIS, in a recent NAIS legal advisory (password-protected for NAIS members). Sensitive information, regarding racial or ethnic origin or sexual orientation, for example, is subject to additional regulation.
The law is complicated, but essentially it requires organizations to demonstrate their compliance with the following standards when collecting and using personal data involving people in the EU:
The GDPR also stipulates a number of individual rights, including:
Schools can comply by having a lawful basis for the personal data they collect, providing transparent privacy policies, actively communicating with individuals about how they will gather and use personal data, and responding in a timely manner to complaints and requests, according to the NAIS legal team.
Schools are advised to consult their legal counsel and software providers for further information and to assess their compliance with the GDPR.
Additional resources for information on the GDPR’s standards for the lawful basis for collecting personal data, data breach notifications, fines, compliance, enforcement and more:
Sign in to leave a comment
Get Net Assets NOW
NBOA's free twice-monthly newsletter
1400 I Street, NW, Suite 675Washington, DC 20005www.nboa.org