Is Your School Subject To The GDPR?
On May 25, 2018, the European Union’s¹ General Data Protection Regulation (“GDPR”) went into effect, providing significantly greater data privacy and protection to all EU residents. The GDPR replaces the 1995 Data Protection Directive. While many of the previous principles of data privacy remain the same as under the 1995 Data Protection Directive, the GDPR is designed to be consistent with the way technology is used in modern society.
In addition, and quite notably, the GDPR drastically increases the territorial scope of the 1995 Data Protection Directive, as the GDPR applies to organizations beyond EU territory. Specifically, the GDPR covers all organizations, located both in and outside of the EU states, that offer goods or services to, or monitor the behavior of, individuals within the EU.
As such, businesses and non-profit organizations located in the United States, including independent schools, need to carefully consider whether they fall within the ambit of the GDPR. Independent schools that are covered should quickly take action to ensure that they are in compliance with the GDPR rules. Indeed, any organization that is not in GDPR compliance may be subject to hefty penalties.
Below is an overview of the applicability of the GDPR to non-EU organizations, and the key regulatory changes imposed by the GDPR of which independent schools should take heed.
Scope Of Jurisdiction
Of relevance to independent schools, the GDPR applies to “controllers” and “processors” who are not established in the EU where the “processing” of data is related to “the offering of goods or services” to individuals residing in the EU.
The GDPR distinguishes a data controller - which states how and why personal data is processed - from a processor - which is the party doing the actual processing of the data. The GDPR significantly expands the definition of personal data - which now includes any information related to a person that can be used to directly or indirectly identify that individual. This definition would likely cover an individual’s name, photograph, email address, bank details, posts on social media, medical information, and IP address.
Thus, schools collecting personal information online from an EU resident - for instance, identifiable information during the admissions or enrollment process - likely trigger coverage under the GDPR.
Another significant change to the regulatory landscape is the requirement to obtain consent and the conditions required to do so. Under the GDPR, consent means “any freely given, specific, informed and unambiguous indication” of a clear, active, affirmative action by the individual to allow processing of personal data. Long, complex terms and conditions will no longer pass muster. The request for consent must be provided in an intelligible and easily accessible format. There is also a corollary to adequate consent - the right of the individual to withdraw consent at any time. And withdrawing consent must be as easy to do as giving it. Finally, organizations must maintain a record of how and when the consent is given.
There are heightened expectations for protecting the personal data of children. The GDPR imposes a 16-year-old age limit on an individual’s ability to consent to the processing of personal data. (The GDPR does provide that member states may legislate for a lower age of consent, but that no state may permit consent without a parent for a child below the age of 13.) As such, organizations must obtain parental consent for the processing of personal data of children under the age of 16 residing in the EU. This rule explicitly provides that it “shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.” Thus, it is likely the case that schools can treat all international students equally - meaning that they can require parental consent for all these students rather than distinguishing between those who are above and below the age of 16 years old. But the GDPR is ambiguous on this topic.
In the admissions and enrollment context, this likely means that schools subject to the GDPR will need to obtain parental consent both when applications for admission are submitted and during the enrollment process.
Right To Be Forgotten
The GDPR provides individuals with the right to demand that an organization delete their personal data if such data is no longer necessary to the purpose for which it was collected. Individuals can also demand that their data be erased if they withdraw their consent to the data collection, or otherwise oppose the way the data is being processed. In these situations, the controller is responsible for deleting the information, as well as telling other organizations that may have this information to do so.
Organizations that fail to comply with the GDPR may be subject to significant penalties. The maximum fine, imposed for the most serious infractions, is 4% of the organization’s annual global turnover (i.e., revenues) or €20 Million, whichever is greater. This penalty would likely apply if an organization does not obtain sufficient consent, which underscores the importance of this fundamental concept. For less egregious violations, there is a tiered scheme for fines, with the potential for significant financial costs for an organization.
Each independent school should conduct an audit to determine whether it processes personal data of individuals residing in the EU - including prospective and current students, alumni, employees, donors, and any other members of the school community. Schools should evaluate the type of personal data they collect, whether internally or through a third-party provider, and how such information is used.
Any school that falls within the scope of the GDPR’s jurisdiction should work with counsel to ensure that the institution, as well as any outside processors it is using, is in compliance with all applicable rules, including the requirement to obtain consent. Compliance measures may be required for the website, the admissions process, and the enrollment process.
* * *
Please feel free to contact us if you have any questions regarding the GDPR or any other data security laws.
¹The European Union (“EU”), a political and economic union of 28 member states located primarily in Europe, includes the following member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. While the United Kingdom is leaving the EU, the GDPR will take effect before the legal consequences of the Brexit vote.