What Higher Ed HR Professionals Need to Know About New Data Privacy Rules in the European Union

This blog post was contributed by Joanna Lyn Grama, director of cybersecurity and IT governance, risk and compliance program at EDUCAUSE.

On May 25, new data privacy rules will take effect in the European Union. Known as the General Data Protection Regulation (GDPR), this directive will also have compliance implications for colleges and universities in the United States.

What Does the GDPR Do?

The GDPR, which was approved in April 2016, does two things: (1) it explicitly confers numerous rights upon data subjects located in the European Union (EU), and (2) it requires covered organizations to put significant safeguards in place regarding the use and processing of personal data of EU subjects (failure to do so can result in enforcement action and significant penalties).

Personal Protections Under the Regulation

Under the regulation, individuals have the right to, among other things:

• Access any data that an organization has collected about the individual;
• Know why an organization is processing the individual’s personal data and the categories of personal data that an organization processes;
• Correct any errors in personal data collected or processed by an organization;
• Know how long an organization will store the individual’s personal data; and
• Under certain circumstances, require the organization to permanently delete the individual’s personal data (this right is sometimes referred to as the right to be forgotten or the right to erasure).

Obligations for Organizations

GDPR imposes a number of obligations upon the organizations that are subject to it. Notable requirements include that the organization:

• Have a legal basis for collecting and processing the personal data of EU data subjects, document that legal basis, and only collect and use data when a legal basis exists;
• Minimize the collection and processing of personal data whenever possible;
• Protect any personal data that it collects and uses;
• Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal data of data subjects, implement a plan to mitigate those risks and impacts and continuously monitor both the risks and the mitigation plan for change;
• Conduct a data protection impact assessment for special categories of high-risk data collection and processing; and
• Have a breach notification policy, and notify authorities within 72 hours of learning of the breach.

Organizations located within the EU must comply with the GDPR, as do organizations, regardless of where they are located, that offer goods or services to or collect data on people in the EU.

GDPR Terms to Know

GDPR uses several defined terms that have special meaning within the regulation:

• A controller is an organization that directs the collection of personal data from a data subject.
• A processor is an organization that uses or processes personal data from a data subject at the direction of a data controller.
• A data subject is an identified or identifiable natural person.
• Personal data is any information about an identified or identifiable data subject. It can include direct identifiers like name, address, email address and national identification numbers or indirect identifiers like location data or IP address. (Note: his list of data elements is not exclusive, and the definition of “personal data” under GDPR should be considered in the broadest possible context.)

The Onus Is on the Organization Collecting the Data 

Both controllers and processors must implement policies and practices to ensure that a data subject’s privacy rights are not violated. As mentioned earlier, GDPR specifies that data controllers and processors must have a documented legal basis for collecting and processing the personal data of EU data subjects There are two basic categories of legal basis: (1) consent from the data subject, and (2) one of the specified business reasons for processing data.

Organizations must specifically be able to point to consent or to one of the stated business purposes as their reason for processing data. The GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated in the consent document. For that reason, generally speaking, most organizations will want to be able to identify one of the stated business reasons for processing the personal data of an EU data subject.

Impact on U.S. Colleges and Universities

GDPR poses a concern for U.S. higher ed institutions, particularly in those instances where colleges and universities interact with EU data subjects. These interactions must be fully understood, documented and assessed for GDPR applicability. For instance:

• Does GDPR apply if an institutional website is merely accessible in the EU via the internet? Probably not.
• Does it apply to the collection of IP address information from that same website to feed subsequent faculty and staff talent management or student recruitment activities? Maybe.
• Does it apply to talent management and recruitment activities specifically directed at EU data subjects? Probably.
• Does it apply to a U.S. institution’s EU-based study abroad programs? Most likely.

What Can HR and Other Stakeholders Do to Prepare?

Higher ed HR professionals will want to review their institutional talent management strategies to understand where the institution is collecting and using personal data collected from EU data subjects. HR professionals will also want to know what types of personal data are being collected, and if it is possible minimize certain types of personal data collection.

To properly assess the impact of GDPR, numerous institutional stakeholders — from legal counsel to HR professionals, business unit directors, data stewards and IT organizations — must work together to understand the rights and obligations conferred by GDPR and how the institution collects and uses data from EU data subjects. These same stakeholders must also work together to understand the business risk that GDPR non-compliance introduces and how best to mitigate that risk within the context of all other institutional business risk.

GDPR is a complicated piece of legislation, and many of its impacts on U.S. higher education institutions cannot be fully understood until after the May 2018 enforcement date. However, HR professionals can start preparing for GDPR now by understanding talent management data collection and use activities and by consulting with institutional legal counsel to ensure that talent management activities are part of the institution’s overall GDPR compliance plan.

This blog post does not constitute legal advice. Institutions are strongly encouraged to consult with their legal representatives to understand the application of GDPR to institutional data collection activities. Learn more about GDPR.