EU's General Data Protection Regulation (GDPR)

As records become increasingly digitized, many institutions hold highly sensitive personal information on their students, employees, and other individuals in digital form. As such, the need to protect data and privacy rights of individual is pressing. General Data Protection Regulation (GDPR) was introduced to specify how consumer data of citizens in the EU should be used and protected. 


Who is affected?

GDPR applies to all institutions involved in processing data about citizens in the EU, regardless of whether the organization is located within the EU. This regulation replaces Directive 95/46/EC.


Enforcement Date: May 25, 2018

Adopted by the European Parliament in April 2016, GDPR will be enforceable in May 2018. Depending on the article violation, non-compliant institutions face fines either
1) €10 Million or 2 percent of global turnover, whichever is higher
or 
2) €20 Million or 4 percent of global turnover, whichever is higher

GDPR explained in 3 minutes

Five important aspects of GDPR


REGULATION (EU) 2016/…
OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL


of

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Topic Contributors

Bret Cohen
Hogan Lovells

Mary Chapin
National Student Clearinghouse

Brian Flahaven
CASE

Julia Funaki
AACRAO

Joanna Grama
EDUCAUSE

Tracy Locklin
National Student Clearinghouse

Mark McConahay
Indiana University - Bloomington

Kristen Meeks
NACUA

Joann Ng Hartmann
NAFSA

LeRoy Rooker
AACRAO

Heidi Wachs
Jenner & Block


Resources

GDPR Whiteboard infographic explaining GDPR
Guide to train staff on GDPR
Beyond GDPR: The Challenge of Global Privacy Compliance - An Interview with Lothar Determann

  • InsideHigherEd article on GDPR states "[Institutions] will now also need to think about protecting people’s IP addresses. Any unique identifiers assigned to people or their electronic devices by institutions, such as in the admissions process, will also need to be protected under the GDPR." posted 11/6/2017
  • Hogan Lovells' GDPRnow app provides companies with assistance to identify practical steps to comply with the new framework posted 10/27/2017
  • Educause library on GDPR posted 10/27/2017
  • Opinion piece from the Article 29 Working Party, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The European Data Protection Board (EDPB) will replace the Article 29 Working Party under GDPR. posted 10/27/2017
  • The General Date Protection Regulation Explained posted 8/31/2017
  • GDPR and Blockchain posted 8/8/2017
  • FAQs
  • Hogan Lovells' guide to preparing for GDPR
  • TrustMarque infographic checklist on GDPR
  • Preparing for the EU GDPR, TrustMarque Whitepaper


AACRAO Activities

Up Next

2017
26 - Building Awareness of the EU's GDPR, a Discussion Webinar
View Archive
24 - National Association of College and University Attorneys (NACUA) Webinar
Purchase Recording
2018
24 - AACRAO Webinar
25 - 28 Annual Meeting Session
25 - Enforcement begins
Last updated 11/29/2017