Did you know that most higher education institutions will be required to meet new data protection standards starting May 25, 2018?
The European Union’s General Data Protection Regulation (GDPR) will affect institutions that recruit EU students, have alumni or donors residing in the EU, or offer study abroad programs there. It is not yet clear how the regulations will be enforced and penalties assessed against U.S. institutions, but the maximum fine can be up to 20 million Euros based on severity and other factors.
Institutions are encouraged to get out in front of this regulation before it arrives at their doorstep! Below are some of the specific data protection requirements that may be different than what you currently have in place:
- Must obtain consent before collecting data from someone.
- Must notify affected persons of a data breach within 72 hours.
- Must provide data subjects a free electronic copy of their personal data when requested.
- Data subjects have the right to be “forgotten”, meaning erasure of their personal data and cessation of its dissemination.
- Must allow personal data to be portable in an electronic format for the subject’s own use.
- Data systems must be built with privacy by design using appropriate technical security measures.
- A qualified Data Protection Officer must be appointed by organizations that process personal data and have over 250 employees.
If you would like more information on these new standards or would like assistance in assessing your readiness for GDPR, please contact Jason Whitaker at jwhitaker@ddaftech.com or Megan Crane at mcrane@deandorton.com.