New European Union Data Protections Effective in May, Apply to Many US Institutions

By Megan Walter, Policy & Federal Relations Staff

The General Data Protection Regulation (GDPR), adopted by the European Parliament in April 2016, will go into effect starting May 25, 2018. While the regulation is European Union (EU) born, it will influence the compliance processes of American universities and colleges that collect or process covered personal information of EU residents, including students, faculty, and staff. In addition, the protections would also apply, under certain circumstances, to United States citizens studying abroad in the EU and the United Kingdom, which has chosen to adopt the regulation as well.

The GDPR will replace the EU's current Data Protection Directive of 1995 to include entities with or without a physical footprint in the EU, as well as many more stages of information management — more than any current U.S. privacy law protects.

GDPR major requirements include seven areas:

  • Consent — Consent form language must be easily understood and include an easy process for customer to withdraw consent

  • Breach Notification — Customers must be notified of any risk to personal information within 72 hours of discovery

  • Right to Access — Customers must have access to an electronic copy of their personal stored data

  • Right to be Forgotten — Customers have the right to request their information, if no longer relevant, be completely removed from an institution's database

  • Data Portability — Customers have the right to use their obtained personal data for individual use

  • Privacy by Design — Data protection must be built into all systems at implementation

  • Data Protection Officers — A professionally qualified officer must be appointed in public organizations with over 250 employees to monitor the processing and storage of personal data

The fine for a non-compliance finding can be hefty, with the highest tier of fees ranging from 10 million to 20 million euros, ($12,400,000 to $24,800,000) depending on the infraction.

For further questions, information, or additional resources on the implementation of compliance practices or the effects of GDPR on your institution, NASFAA suggests contacting your institution's legal counsel or the American Association of Collegiate Registrars and Admissions Officers (AACRAO).


Publication Date: 2/20/2018

Joshua M | 2/20/2018 11:32:07 AM

I don't see how they could possibly have any jurisdiction.

You must be logged in to comment on this page.

Comments Disclaimer: NASFAA welcomes and encourages readers to comment and engage in respectful conversation about the content posted here. We value thoughtful, polite, and concise comments that reflect a variety of views. Comments are not moderated by NASFAA but are reviewed periodically by staff. Users should not expect real-time responses from NASFAA. To learn more, please view NASFAA’s complete Comments Policy.
View Desktop Version