January 28 marked international Data Privacy Day. This blog post highlights EDUCAUSE resources on the European Union General Data Protection Regulation.
January 28 marked Data Privacy Day. Throughout the months of January and February, the EDUCAUSE Cybersecurity Program is highlighting higher education privacy issues. To learn more, visit our awareness campaigns page.
"Awareness Days" like Data Privacy Day serve an important role so long as all involved know that a day is hardly enough time to cover a topic as wide-ranging as privacy in higher education. We mark Data Privacy Day here at EDUCAUSE to underscore the critical attention that privacy and cybersecurity deserve all year long. One of the privacy topics currently of concern to higher education leaders, including CIOs and CISOs, is the European Union General Data Protection Regulation (called the GDPR or the EU GDPR). The GDPR replaces the EU's 1995 Data Protection Directive 95/46/EC (called the DPD).
The GDPR was designed to harmonize data privacy laws across Europe and to reshape the way organizations across the region approach data privacy. The EU data privacy approach, which treats the right to privacy as a fundamental human right, is very different from the U.S. industry-sector approach, where data is viewed through the lens of ownership. Despite being an EU law, the GDPR has gained the attention of U.S. higher education leaders because there is an assumption that many U.S. colleges and universities have sufficient contacts in the EU and with EU residents such that the GDPR will apply to them. And after all, failure to comply with the GDPR can lead to legal action and substantial fines.
The GDPR becomes effective May 25, 2018 — a mere four months after international Data Privacy Day. EDUCAUSE, along with other higher education associations, has been working to share information about the GDPR and how it might apply to U.S. higher education institutions, even though there seem to be more questions than certainties at this point in time. EDUCAUSE is posting links to its own GDPR resources, as well as curating GDPR resources from other higher education organizations (both U.S. and international), on the following webpage: https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr
As we add GDPR resources to the EDUCAUSE Library, they will also be added to this page. In addition, you can also join the Higher Education Information Security Council (HEISC) Chief Privacy Officers Working Group for an open call on Tuesday, February 13, 1–2 p.m. ET, to discuss how colleges and universities are preparing for GDPR compliance. Email [email protected] for details.
Some of the resources listed on our EDUCAUSE page that might be particularly useful for a general understanding of the GDPR include the following:
- The New EU General Data Protection Regulations: What IT Specialists Need to Know (November 2, 2017, Presentation Session at the 2017 EDUCAUSE Annual Conference, Proceedings Materials): This session examined the EU GDPR and the potential impact on U.S. institutions operating in relation to Europe.
- Online Briefing: Moving Toward GDPR GEANT in Partnership with JISC (November 1, 2017, Recorded Webinar): Sourced by the InCommon Federation as part of their IAM Online series, this webinar explains the new approach established by the GDPR (and the proposed ePrivacy Regulation), the main areas of difference, and the changes it will require to how organizations think about their processing of personal data.
- The General Data Protection Regulation Explained (August 28, 2017, EDUCAUSE Review article): This article offers a discussion of why U.S. institutions should be paying close attention to the GDPR now.
- Overview of the General Data Protection Regulation (GDPR) (October 2, 2017, Government Documents, Laws, Letters, Testimonies or Reports): This overview highlights the key themes of the GDPR to help organizations understand the new legal framework in the EU.
The following are some helpful links that are external to EDUCAUSE:
- Text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- CyberArk GDPR Resources: https://www.cyberark.com/solutions/audit-compliance/eu-general-data-protection-regulation-gdpr/. (In particular, note this commercial provider's brief "Get Your Enterprise Ready for GDPR: A Privileged Account Security Checklist for Securing Personal Data," listed on this page.)
Finally, the International Association of Privacy Professionals (IAPP) has also posted a number of GDPR resources, some of which are behind a paywall. However, the association has publicly posted an article that might be particularly useful for institutions with a number of research activities: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/
A final word regarding the GDPR: fundamentally, the GDPR is a European law that impacts business process regarding the collection, storage, use, transfer, and disposal of an EU resident's personal information. Since most data processing today takes place in IT systems, it makes sense that higher education IT organizations are concerned about compliance with the law. However, IT organizations alone cannot adequately meet the institutional compliance requirements mandated by the GDPR and need the assistance of their institutional general counsel and other business stakeholders. These leaders, particularly university counsel, are in the best position to understand all the different institutional activities in which the GDPR may apply and can lead a coordinated approach toward compliance.
John O'Brien is President and CEO of EDUCAUSE.
© 2018 John O'Brien. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.