The General Data Protection Regulation (GDPR), which came into effect in May of 2018, protects the data privacy rights of all persons in the European Union. The law applies to any company that processes the data of an individual residing in the EU, regardless if that company has a presence in the EU. This affects any company or institution that has users located in an EU country, even if the company or institution is based in the United States or elsewhere. This brings challenges for universities and educational software vendors with an international presence.
Any organization that knowingly has data subjects in the EU should perform an audit of how they store user data and what steps they need to take in order to be compliant with GDPR. The following are some of the key points an organization be cognizant of when striving to be GDPR compliant.
Organizations that fall under GDPR must understand what data they are collecting and how that data is processed and stored. GDPR outlines what data may be processed, how it must be processed, and the bases that are lawful for processing the data.
GDPR states that data processors must only collect data that is necessary for the completion of an explicit and specific task. The processor must clearly explain what data is collected and for what purposes. The data subject's information must be kept secure and only held for as long as necessary.
Data may only be processed if there is a lawful basis for doing so. The six lawful bases for processing data include: when consent is granted by the data subject; when there is a contract between two parties; when there is a legal obligation to do so; when there is a vital interest to do so; when there is a public task that is achieved; and when there are legitimate interests to process data.
Data subjects must be allowed to request erasure of their data unless the processor has a legal obligation or is collecting data for a public task. Organizations must reply to the request to erase a user's data within one month. Data subjects are also allowed to request a copy of their data which has been collected with their consent, which data processors must also comply with within one month.
Any organization in the education sector (e.g. universities, schools, software vendors, etc.) that does business with residents of the EU must be aware of what data they are collecting and how they are ensuring that personal data is being protected.
Unless there is a legal obligation on behalf of the organization or there is a public task being fulfilled, a data subject has a right to request erasure of their data. For public institutions, such as universities and school districts, the data they process may very well be for a public task. For example, a university may process the data of it's international students from the EU if it is done for teaching or research purposes at the university.
It is important for companies and institutions to track what legal bases they are using to lawfully process data. Using the same set of data for different purposes may require noting the use of different legal bases. Additionally, whenever an organization wishes to use collected data for a new purpose, it must obtain consent from the data subject for this new purpose.
The key to GDPR is being aware of what data you have and what legal basis you have for processing it. This requires auditing the data that is currently collected and the users who it is collected from. The next step is to ensure that you inform your users about what how you will use their data and the lawful basis for doing so. Finally, ensure that your users have a method to request a copy of their data or a request to erase or change their data.