As the new General Data Protection Regulation (GDPR) ruling takes effect on May 25, 2018 in the European Union, there are many things your institution will need to consider to ensure you are compliant. If you’re unfamiliar with the new GDPR legislation, know that this is the new standard for protecting the personal information of EU-based residents, meaning that any organization that works with an EU residents’ personal information has new standards to safeguard that data.
To help your organization focus on the upcoming legislation, we’ve provided a few quick tips to help you get the appropriate discussions started.
1. Understand the Rules
Regardless of where your institution is located, you will be impacted if you have constituents residing in the European Union. Your alumni, donors, and support engagement activities may be impacted by the GDPR with significant monetary penalties applied for failure to follow the regulations.
2. Audit Existing Data
Now would be a good time to examine the personal data you are currently processing on behalf of your constituents. How is it stored? How do you use it? Which third party vendors are you sharing this information with? What is the expected usage of the data with these vendors? How are these vendors complying with GDPR? One key element of the GDPR is to ensure that each partner that touches the data has a valid reason to obtain and use it, and furthermore be transparent about how the data is being used. So it is pertinent to take measures to ensure all processors who come in contact with your constituents’ data are following regulatory practices and optimizing their product to meet GDPR standards.
3. Know the Rights of your Constituents
Under this new law, individuals have the right to ask for access to their data at any point in time, obtain a copy of their data, request details about how their information is stored, and most importantly, request that their data be permanently deleted and forgotten. The right to be forgotten has many implications in our industry as it could potentially mean individuals transcript/academic record be removed completely. So be sure to understand your institution's definitions, plans, and processes to support these rights.
4. Create Relevant Processes
Within your organization, you’ll want to identify a Data Protection Officer or Taskforce to manage data requests, report security breaches and ensure that relevant policies are updated in a timely fashion. Your Taskforce should evaluate the GDPR on a broader basis to establish these definitions and processes, then manage them moving forward.
5. Cross-Check your Contracts
Work with your legal team to ensure your contracts with relevant third party vendors clearly define who is the data controller and who is the data processor, along with responsibilities for constituent requests and service level agreements.
You will find that there are many layers when it comes to preparing for the upcoming changes as a result of the General Data Protection Regulation. Make sure you are taking the time now to detail a plan for your institution.
This article is for general informational purposes only and is not intended as legal advice. If you have any questions regarding the upcoming changes due to the GDPR or want to learn more about your individual obligations, please consult your internal legal team and Data Protection Officer.