In short, the law sets guidelines about how organizations collect, store, share and use personal data of individuals in the EU and also ensures those individuals have certain controls over how their personal data is collected and used. The sanctions for GDPR violations are 4 percent of annual revenue or €20 million, whichever is greater for a particular company. The law also includes fines for improper data breach notification at 2 percent of annual revenue or €10 million, whichever is greater.
“If you are outside of the EU but you offer goods or services, or you're monitoring the behavior of individuals in the EU, then you fall under the scope of the GDPR,” explained Barton. The law protects not just EU citizens and legal residents but anyone in the EU. Whether or not a school is subject “depends on the totality of the circumstances,” and Barton suggests schools seek legal counsel for a firm answer. If a school is actively recruiting EU families or has a large alumni base there, for example, it may well be subject. If a school has no international students and isn’t seeking any, it probably isn’t.
Barton suggests schools think about four main areas to comply with GDPR.
- Know where your school stores its data.
- Know where your school is processing its data.
- Know what personal information your school collects.
- Manage third parties.
“These four things can get you pretty far in all of the different parts of GDPR,” said Barton.
The law concerns personal data, the definition of which under the GDPR is “very broad,” Barton says. “It's any information relating to an identified or identifiable natural person.” That could be information like email and mailing addresses but also financial transactions and donation information, if that data is attached to an individual.
Schools must obtain consent to collect data for a specific purpose and not deviate from that purpose without notice. “There's a heightened bar when the data subject is a child,” said Barton. “A school should really think through all of the types of information that [it] would need from a student, and try to seek consent for as broad of categories of information [as needed] so that they're covered.”
The regulation may seem complicated, but Barton’s primary advice is straightforward: “I think the main thing is just to really be aware of what you're collecting, and what you're saying to individuals and data subjects at the time of collection, because that may govern what you can collect and what you can do with that information.”
For more information on GDPR as well as the more recently passed California Consumer Privacy Act of 2018 — now applicable only to for-profit companies but a possible bell weather for future state laws — listen to the webinar and read the slides and transcript.
