Schools must adhere to the GDPR if they collect data on anyone who resides in the EU — not just citizens, but also residents — including students, parents, , alumni staff. Once EU citizens arrive in the U.S., however, U.S. data laws apply.
The GDPR addresses collection, storage, processing and disposal of personal data as well as security breaches that put data at risk. The law’s definition of personal data is broad; it “can be anything from a name, a photo, an email address, posts on social networking websites, medical information, or even a computer IP address,” according to Debra Wilson, general counsel, and Whitney Silverman, staff attorney at NAIS, in a recent NAIS legal advisory (password-protected for NAIS members). Sensitive information, regarding or ethnic origin or sexual orientation, for example, is subject to additional regulation.
The law is complicated, but essentially it requires organizations to demonstrate their compliance with the following standards when collecting and using personal data involving people in the EU:
- Be fair and transparent.
- Have specific, legitimate purposes.
- Ensure data is accurate.
- Protect collected data from unauthorized use.
- Allow individuals to “opt in” to data collection, rather than automatically collecting the data and requiring individuals to opt out.
The GDPR also stipulates a number of individual rights, including:
- Transparent privacy notices
- Access to data collected about them
- Control of how the data is processed
- Right to be “forgotten,” i.e., have an organization erase all data regarding them.
Schools can comply by having a lawful basis for the personal data they collect, providing transparent privacy policies, actively communicating with individuals about how they will gather and use personal data, and responding in a timely manner to complaints and requests, according to the NAIS legal team.
Schools are advised to consult their legal counsel and software providers for further information and to assess their compliance with the GDPR.
