What is General Data Protection Regulation?
General Data Protection Regulation (GDPR) is a European Union law that will come into force in May 2018, significantly improving data protection for individuals in the European Union and internationally by introducing new restrictions for companies that process the data of EU residents. The new regulation requires organizations to adopt stricter data protection controls, and specifies procedures and timeframes for breach notification. The GDPR also broadens the rights of individuals with respect to their personal data, and involves larger penalties for violations.
What does it mean for higher education in the US?
GDPR applies to any US business or public body that stores or processes the data of EU residents. This includes every employer in the EU, businesses that offer products and services to EU citizens and residents, and companies that process personal data on behalf of other organizations. GDPR impacts companies that do not have a presence in the EU.
GDPR protects almost all types of personal data, including basic identity information, financial data, web data and more. According to Article 9, certain types of data cannot be processed unless data subject has given explicit consent; this list includes biometrics, racial or ethnic origin, political opinions, and data concerning health.
Higher education institutions, especially those with high levels of international research, global commercial activities, study abroad or enrollment of people based in the EU, should be mindful of GDPR.