Steps To Take To Become GDPR-Compliant
In our last blog post, we discussed whether GDPR applied to schools in the US and Canada. Assuming that GDPR applies to your school, what do you need to do next?
1 – Consent
GDPR requires that an organization obtain consent from an EU resident before collecting and processing his/her personal data. This consent should outline what data is being collected and how it is being used and stored. No more personal data should be collected than necessary to fulfill the purpose of the request. Likely some further explanation and consent opt-in indicator would suffice on materials such as your application, EU accepted student forms, and alumni/donor data requests.
2 – Rights to ‘Access’, ‘Port’ and ‘Be Forgotten’
Schools should be prepared to provide copies of the personal data of the EU resident it maintains to the EU resident upon request (the “Right to Access”). In addition, EU residents have the right to “port” their personal data from one institution to another. Similarly, under certain circumstances, the school may be required to delete the personal data and ensure all third parties do the same (the “Right to be Forgotten”).
3 – Data Encryption
In addition, GDPR requires “pseudonymisation,” a process by which data cannot be attributed to a specific person without possessing some piece of additional information that is stored separately. In the photo management area, we believe this can be accomplished by separating the photo from the metadata, encrypting both and storing them separately, a practice employed by Vidigami.
4 – Recruiting a Data Protection Officer
While not likely required for a school, GDPR suggests that the organization appoint a Data Protection Officer. However, this is likely a best practice for a school in order to organize inbound questions from parents and alumni as well as for outbound communication on this topic and related topics. Vidigami has put this in place in order to give its customers and users a clear place to go for information and requests.
The law, with some exceptions, prohibits companies from subjecting EU residents to “auto-decision making” such as a school application that does not include a human’s review. What’s more, GDPR includes provisions for notification to the EU and the affected individuals if a data breach occurs. This provision certainly needs to be in all of your agreements with technology vendors.
5 – Review agreements with EdTech Vendors
Critically, schools that outsource the collection and or processing of their data must ensure compliance of those organizations (SIS vendors, photo/video management services, alumni CRMs, etc.) with GDPR. A thorough review of those requirements and the agreements you have with those vendors is an important first step towards compliance. In fact, it may be wise to outsource your data collection and processing to organizations compliant with GDPR.
In the end, schools in the US and Canada are unlikely to be a near-term target of EU enforcement procedures. Nevertheless, schools would be wise to align with the spirit of GDPR and implement those procedures and policies that make sense to their school based on the scope of their contact with the EU and risk tolerance. GDPR is considered the gold standard of data privacy and, over time, will likely be required of schools and their technology vendors based on federal and state/provincial law in the near future, if it is not already.