GDPR: A Data Regulation to Watch

What Is the GDPR?

The European Union (EU) General Data Protection Regulation (GDPR), adopted in April 2016, is a regulation that is intended to broadly and conclusively provide data privacy and security protection for residents of the EU. It becomes effective May 25, 2018. The GDPR is binding on all 28 EU member states and will immediately repeal previous data regulations, including the 1995 EU Data Protection Directive.¹ The GDPR has a wider reach and broader scope than the EU Data Protection Directive. The GDPR can in many cases apply to U.S. higher education institutions if those institutions control or process data about residents of the EU. Unlike prior laws, the GDPR takes the position that residents of the EU should not be deprived of security and privacy protections solely because a business or organization that targets those residents is located elsewhere.

When Does the GDPR Apply to U.S.-Based Institutions?

The GDPR applies to any organization established outside of the EU that processes any personally identifiable data (called "personal data" in the GDPR) about residents of the EU (called "data subjects" in the GDPR) when that processing is related to either:

a) "the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union."

This language is quite broad and will conceivably cover almost any website on the Internet that is globally available, offers goods or services, and collects personal information of any kind. It is anticipated that the GDPR will apply to U.S. institutions in a variety of scenarios, including institution-controlled public-facing websites that offer goods or services, any websites that tracks personally identifiable user information or behavior, student study abroad programs, and potentially any research about residents of the EU that could in some way identify them. For example, enrollment activities may be covered under the GDPR if an institution is targeting or enrolling people located in the EU and the institution collects personal data about those individuals during the enrollment or recruitment process.

When the GDPR Does Apply, What Does It Actually Do?

The GDPR is an extremely extensive regulation of the complete life cycle of a data subject's personal data. This means that the protections specified in the GDPR address what types of data may be collected under specific circumstances, how that data may be used, how the data must be secured, how the data must be disposed, and what rights the data subject has during the life cycle of their personal data. The GDPR imposes a variety of data privacy and data security requirements that organizations must follow, including:

• Data security practices
• Personal data usage and privacy restrictions
• Data breach reporting requirements
• Personal data consent collection requirements

Consent is the cornerstone of GDPR requirements. The regulation generally requires specific informed consent regarding what personal data is being collected and for what purposes. Once the personal data is collected, it must be processed, stored, and shared in a manner that is compatible with that consent. Unless the data subject gives consent to process, retain, or share the data (or, in some instances, unless the data is carefully and fully anonymized), the GDPR will not allow further processing, storing, sharing, or performing of any action on the personal data (outside the scope of the consent initially given).

The GDPR also includes requirements regarding data security practices. For example, organizations must implement appropriate measures to protect personal data and must also follow the GDPR's breach notification provisions. While the security requirements in the GDPR are very general, it is likely they could be applied after a data breach occurs to show that the organization failed to take an appropriate data security posture.

When the GDPR does apply to an organization, the organization must comply with the regulation or potentially face action by the appropriate body in the EU charged with enforcing the GDPR. This action can include a fine of up to 20 million euros, or 4% of an organization's annual revenue, whichever is greater. It is unknown how fines will be calculated for nonprofit entities.

What This Means as the GDPR's Enforcement Date Rapidly Approaches

When the GDPR takes effect on May 25, 2018, it will be the primary data privacy and security regulation for the European Union. The GDPR will most likely apply to U.S.-based organizations due to the broad language contained in the GDPR that focuses on where the data subject resides rather than where the organization is incorporated. When considering the GDPR, U.S.-based higher education institutions should:

• Consult with legal counsel knowledgeable about international laws. Institutions, especially those with high levels of international research, global commercial activities, study abroad, or enrollment of people based in the EU, should be mindful of the GDPR. Research and other activities that target residents of the EU should be considered especially sensitive. It is important to know where an institution's contacts with the EU are, and the type of data that might be collected (and the circumstances of collection) from residents of the EU. Understanding these items will help the institution and its legal counsel best assess the institutional risk posed by the GDPR.
• Monitor the GDPR as it comes into effect and assess how EU member states are enforcing the regulation. This will also help the institution assess the potential risk of noncompliance. As more information becomes available about how the GDPR will apply to U.S. organizations in practice, U.S. institutions can then enact the appropriate policies and procedures to minimize risks when dealing with the personal data of people located in the EU.
• Review contracts carefully. Institutions will want to ensure that accurate language is included in any vendor contract to require the vendor to abide by EU regulations like the GDPR.

Note

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 2016 O.J. (L119) 87 [hereinafter General Data Protection Regulation].

---

Jaime R. Tuttle-Santana is a legal fellow in the information security office at the University of California, Davis.