Remarks and Resources on the EU General Data Protection Regulation

min read

January 28 marked international Data Privacy Day. This blog post highlights EDUCAUSE resources on the European Union General Data Protection Regulation.

image of a keyhole in a lock mechanism with GDBR engraved in it

January 28 marked Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Program is highlighting higher education privacy issues. To learn more, visit our awareness campaigns page.

"Awareness Days" like Data Privacy Day serve an important role so long as all involved know that a day is hardly enough time to cover a topic as wide-ranging as privacy in higher education. We mark Data Privacy Day here at EDUCAUSE to underscore the critical attention that privacy and cybersecurity deserve all year long. One of the privacy topics currently of concern to higher education leaders, including CIOs and CISOs, is the European Union General Data Protection Regulation (called the GDPR or the EU GDPR). The GDPR replaces the EU's 1995 Data Protection Directive 95/46/EC (called the DPD).

The GDPR was designed to harmonize data privacy laws across Europe and to reshape the way organizations across the region approach data privacy. The EU data privacy approach, which treats the right to privacy as a fundamental human right, is very different from the U.S. industry-sector approach, where data is viewed through the lens of ownership. Despite being an EU law, the GDPR has gained the attention of U.S. higher education leaders because there is an assumption that many U.S. colleges and universities have sufficient contacts in the EU and with EU residents such that the GDPR will apply to them. And after all, failure to comply with the GDPR can lead to legal action and substantial fines.

The GDPR becomes effective May 25, 2018 — a mere four months after international Data Privacy Day. EDUCAUSE, along with other higher education associations, has been working to share information about the GDPR and how it might apply to U.S. higher education institutions, even though there seem to be more questions than certainties at this point in time. EDUCAUSE is posting links to its own GDPR resources, as well as curating GDPR resources from other higher education organizations (both U.S. and international), on the following webpage: https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr

As we add GDPR resources to the EDUCAUSE Library, they will also be added to this page. In addition, you can also join the Higher Education Information Security Council (HEISC) Chief Privacy Officers Working Group for an open call on Tuesday, February 13, 1–2 p.m. ET, to discuss how colleges and universities are preparing for GDPR compliance. Email [email protected] for details.

Some of the resources listed on our EDUCAUSE page that might be particularly useful for a general understanding of the GDPR include the following:

The following are some helpful links that are external to EDUCAUSE:

Finally, the International Association of Privacy Professionals (IAPP) has also posted a number of GDPR resources, some of which are behind a paywall. However, the association has publicly posted an article that might be particularly useful for institutions with a number of research activities: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/

A final word regarding the GDPR: fundamentally, the GDPR is a European law that impacts business process regarding the collection, storage, use, transfer, and disposal of an EU resident's personal information. Since most data processing today takes place in IT systems, it makes sense that higher education IT organizations are concerned about compliance with the law. However, IT organizations alone cannot adequately meet the institutional compliance requirements mandated by the GDPR and need the assistance of their institutional general counsel and other business stakeholders. These leaders, particularly university counsel, are in the best position to understand all the different institutional activities in which the GDPR may apply and can lead a coordinated approach toward compliance.

John O'Brien's signature


John O'Brien is President and CEO of EDUCAUSE.

© 2018 John O'Brien. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.