On May 25, 2018, the European Union’s (“EU”) General Data Privacy Regulation (“GDPR”) takes effect, which purports to regulate the control and processing of the data of EU residents, wherever that data is stored. However, the broad territorial scope of the GDPR has not been tested in any court or legal proceeding, leaving many organizations, including United States-based independent schools, scratching their heads over compliance with the law.
What is the GDPR?
For those unfamiliar with the dreaded acronym, the GDPR is a law passed by the EU Parliament in 2016 that imposes a uniform set of data privacy regulations throughout the EU based on several key general privacy principles: transparency and consent, right of access to personal data, right to rectification and erasure (also known as the right to be forgotten), data portability, and the right to object to automated individual decision-making.
Independent schools who actively collect data from EU residents (such as applicants or alumni) are likely to be classified as “data controllers” as that term is defined in the GDPR. Generally, controllers are responsible for: implementing technical safeguards and organizational measures to protect data, implementing “protection by design and default” measures, and ensuring that data processors (such as software vendors) handle data responsibly and in accordance with the schools’ directives. Penalties for failing to comply with the GDPR can be quite steep, ranging up to 20 million Euros, or 4% of an organization’s global annual revenue, whichever is greater.
What does this mean for independent schools?
The uncertainty surrounding the GDPR coupled with its stiff penalties puts independent schools in the unenviable position of trying to plot a path forward without knowing how the law will be applied to them, or whether EU regulators will even be successful in enforcing it against American organizations. Luckily, we have some recommendations.
First, independent schools should examine what data of EU residents they collect or possess. Some independent schools may discover that they hold only small amount of EU residents’ data, and that they can avoid falling under the GDPR’s umbrella simply by deleting it. Second, they should evaluate how they came to possess EU residents’ data in the first place. Institutions that, for example, own property or employ staff in the EU, have relationships with “sister” schools in the EU, recruit students directly from the EU, or target donation solicitation efforts toward EU residents are likely at greater risk of being the target of enforcement actions by EU regulators or EU residents than those who do not.
Developing a Compliance Plan
Independent schools who believe they may be subject to the GDPR should consider appointing a data privacy officer to lead the school’s compliance efforts. This may include working with other staff on developing a compliance plan or road map to address the school’s obligations under GDPR.
While data controllers are responsible for implementing technical safeguards, independent schools may find it more cost effective to first address organizational measures to protect data privacy such as developing GDPR-compliant consent forms, developing GDPR-compliant notices to apprise EU residents of their rights under the GDPR, and developing GDPR-compliant data breach response plans.
Even though the deadline for implementation of the GDPR is May 25, many organizations will fail to be fully compliant by that date. However, this does not mean that independent schools should ignore the May 25 deadline or their ongoing data protection responsibilities thereafter. Rather, they should plan their compliance efforts to maximize the returns on their first investments.
The summer months may provide an excellent opportunity to begin providing constituents with notice materials and consent forms to get GDPR compliance efforts heading in the right direction. Obtaining EU residents’ consent to control and process their data, and to continue to interact with them in the future, either by sending them additional promotional material or by soliciting support, can go a long way toward demonstrating to potential EU regulators the seriousness with which independent schools are taking their data privacy obligations.
For further information on the GDPR or to discuss how these issues may impact your school, please contact any member of our Privacy and Data Protection Team.