Leaders of schools, colleges, and universities that attract students from Europe should be aware of the new comprehensive data privacy and security regulation, known as the General Data Protection Regulation or “GDPR”, which takes effect May 25, 2018. The regulation reaches beyond the European Union to any entity that obtains or receives the personal data of individuals within the European Economic Area (“data subjects”) in connection with offering them goods or services (whether for profit or not) or monitoring their behavior (including online).

The GDPR requires organizations to take documented action to protect the privacy and security of EU data subjects’ personal data. Some core compliance considerations for processing EU student data include:

  • Informed Consent or Other Legal Basis
  • Written Privacy and Security Policies
  • 72-hour Breach Notification
  • Rights to Access and Correct, to be Forgotten, to Data Portability
  • Privacy by Design
  • Vendor/Third Party Contracts
  • Data Protection Impact Assessment
  • Appointment of a Data Protection Officer and/or EU Representative
  • Public and private enforcement mechanisms and penalties for non-compliance of up to the greater of 4% of the organization’s worldwide revenue or €20 million

For more information on GDPR compliance, or other data privacy and security issues, please contact:

Sherwin M. Yoder
(203) 784-3107; syoder@carmodylaw.approvalserver.com

Jennifer A. Calcagni
(203) 575-2648; jcalcagni@carmodylaw.approvalserver.com

Damian K. Gunningsmith
(203) 784-3185; dgunningsmith@carmodylaw.approvalserver.com

For information on school and education law issues, please contact:

Susan L. Henebry
(203) 578-4266; shenebry@carmodylaw,com

Giovanna Tiberii Weller
(203) 575-2651; gweller@carmodylaw.approvalserver.com

Ann H. Zucker
(203) 252-2652; azucker@carmodylaw.approvalserver.com


Related Services