• avatar

    Share This:

    • Share on Facebook
    • Share on Google Plus
    • Share on Linkedin
    • RSS
    « Back to Blogs
    August 2018

    GDPR Basics for Educational Institutions

    The General Data Protection Regulation (GDPR), which became effective May 25, 2018, protects data privacy rights of all “natural persons” (or “data subjects”), regardless of citizenship, who are inside the European Union (EU), including tourists. It also imposes numerous rules and restrictions on organizations that process “personal data,” even if they have no physical presence in the EU. Many U.S. educational institutions (colleges and K-12 schools) are subject to the GDPR’s requirements. To understand the basics of the regulation and whether your institution may need to comply, consider the following overview and recommendations.

    Which Organizations Are Covered, and When?

    A U.S. educational institution is subject to the GDPR if it has an “establishment” in the EU, such as a study abroad program, even if it does not own or control the facilities used, or if it offers EU consumer goods or services, such as distance learning. In addition, the GDPR would apply to institutions that:  

    • Have employees working or performing research in the EU
    • Use personal data originating from the EU
    • Recruit potential students or employees in the EU
    • Conduct certain other outreach to individuals (e.g., donors) in the EU

    Caution: This is not an exhaustive list. Institutions should consult counsel experienced in global data privacy laws to determine if individuals for whom they handle personal data are protected by the regulation.

    Personal Data and Rights of Data Subjects

    The GDPR places numerous restrictions on educational institutions that process personal data (information relating to an identified or identifiable data subject), including limitations on the types of personal data it can process. In addition, the regulation establishes many rights for data subjects. For example, data subjects must be notified in “clear and plain” writing about how their personal data is collected, used, managed, and disclosed. “Small print” privacy notices that contain legalese or jargon would not comply with the regulation.


    Enforcement of the GDPR is primarily carried out by “supervisory authorities,” which the GDPR requires member states to designate. Each supervisory authority has broad enforcement powers, ranging from demanding information and conducting investigations and audits to issuing warnings and imposing fines. For extreme offenses, fines may run up to 4 percent of global revenue or 20 million euros (over $23 million), whichever is greater. In addition, data subjects can sue organizations in EU member state courts for violating the GDPR.

    UE Recommendations 

    Institutions that are unsure of their GDPR status should determine, in consultation with counsel, whether they are obligated to comply. If so, UE recommends promptly taking the following actions:

    • Convene a working group, including representatives from information technology, risk management, insurance, legal counsel, study abroad, human resources, student affairs, admissions, administration or business, and academic areas involved in international research. This group should review all institutional policies and procedures related to the collection, processing, and storage of personal data, considering questions such as:    
      • What data is collected, from whom, and for what purposes?
      • Who processes data?
      • Are privacy notices GDPR-compliant?
    • Based on the group’s recommendations, revise policies and procedures appropriately
    • Train all affected employees 


    GDPR text

    AACRAO, Nov. 2017 webinar, “GDPR: A Legal Interpretation for Higher Education"

    EDUCAUSE resources

    NACUA (National Association of College and University Attorneys) resources (limited to NACUA members)

    Sample Institutional GDPR Policies 

    Colorado College

    New York University

    University of Massachusetts

    Yale University


    Add Comment

    Text Only 2000 character limit

    Page 1 of 1