The European Union s General Data

Transcription

1 The European Union s General Data Protection Regulation Webinar 2 in a series November 14, 2017

2 Presenters Bret Cohen Partner, Hogan Lovells Julia Funaki Associate Director, AACRAO International Mark McConahay Vice Provost and Registrar, Indiana University - Bloomington Heidi Wachs Special Counsel, Jenner & Block

3 Disclaimer The information contained in this presentation is not legal advice and reflects only the opinions of the presenters. If you have a legal issue related to EU Privacy or Data Protection, please contact a licensed attorney for guidance specific to your situation.

4 Agenda 1. GDPR: Implementation & Basic Principles 2. Toward Implementation 3. Clarity needed! 1. Territorial Scope 2. Rights - particularly the Right to Be Forgotten Transparency items in NACUA webinar 4. Risk Assessment 5. Breach Reporting Guide 6. Sample Situations

5 GDPR - implementation May 25, 2018 NEW ERA: GDPR signals the next era of Data Protection and Privacy Data privacy is a fundamental right, and cannot easily be bargained away There must be a lawful basis for all data processing (e.g., consent, necessary to perform a contract, required by law, legitimate interests balanced against impact on individuals) Personal data processing subject to principles Specific rules for processing special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, sex life or sexual orientation, criminal record

6 Basic Principles Transparency, lawfulness, and fairness Purpose Limitation Data minimization Accuracy Storage Limitation Security Accountability

7 Does GDPR signal a shift in our profession? Registrar s Mission - Ensure that the institution maintains accurate personal, academic and enrollment records for its entire student population, past and present, and provide access to data derived from these records only when appropriate. Admission s Mission - to recruit, admit, and serve an eligible, diverse student population Mission Collision? Mission Shift? or Other?

8 How might this impact a university? 1. US universities with their own branch campus or study center in the EU 2. US universities sending students to or at local counterparts (exchange, faculty-led, research, or internship programs) 3. Collaboration with EU institutions 4. Online learning platforms 5. Research incorporating EU data sets 6. Soliciting student applications from EU 7. Recruiting faculty from the EU 8. Receiving donations from the EU

9 GDPR: A comprehensive approach EU privacy law applies to all processing of personal data Personal data: any information relating to an identified or identifiable natural person (e.g., name, identification number, location data, online identifiers such as IP addresses, images) Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

10 Territorial Scope

11 To whom does the GDPR apply? Applies to Processing carried out in the EU Organizations outside of the EU that offer goods and services to EU residents Organizations outside of the EU that monitor the behavior of EU residents (i.e., track online behavior) Covers data controllers and data processors Definitions are the same as those under the DPD Data processors will be required to maintain records of personal data and processing activities and will be subject to greater liability if responsible for a breach Data controllers cannot push liability onto processors must ensure contracts require processors to comply with GDPR This encompasses any time we work with EU residents to include, prospective applicants and families, current and past applicants, alumni, scholars, staff, researchers, and anyone involved in institutional exchange

12 Controllers and Processors

13 European privacy law: The fundamentals Obligations are tied to whether an organization is a controller or a processor of personal data Controller: the entity that determines the purposes and means of the processing of personal data Processor: an entity that processes personal data only on behalf of and on the instructions of the controller (e.g., service providers) Controllers are subject to significantly more legal obligations under the GDPR Processors have some legal requirements, but most obligations will be contractual

14 Consent

15 Lawful Processing of Personal Data Must have a legal basis to process personal data Lawful conditions for processing With consent When necessary To perform, or enter into, contract with data subject Comply with a legal obligation To protect vital interests of data subject or another person For the performance of a task carried out in public interest For legitimate interests pursued by the controller (can include first-party marketing!) or third party, except when such interests are overridden by the interests or rights of the data subject

16 Lawful Processing: Consent Requires some clear, affirmative, demonstrable action Silence, pre-checked boxes, or inactivity will not constitute consent Data controller must maintain some form of record regarding how and when consent was given Cannot be permanently binding Data subject must be given right to withdraw consent at any time and must be informed of this right before giving consent Cannot be condition of performance of contract when not necessary to perform contract Request for consent must be presented clearly and in plain language distinguishable from other matters

17 Right to Be Informed

18 Right to Be Informed (cont.)

19 To Do Items Review and modify notices, as appropriate Identify which data is collected directly from data subject and which data is collected from other sources Ensure notice is given at appropriate time Ensure that third-parties who supply data provide timely notice to company so that company can, in turn, provide timely notice

20 Right to be Forgotten

21 Clarification on right to be forgotten Registrars and Records officers keep records what does the Right to be forgotten mean for our work? Contrary to our profession Principles of Student Record Management What about cases of discipline or violations can an individual request that to be forgotten

22 Breach Notification

23 Data Breach Notification A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data... Notify supervisory authority If likely to result in a risk to individual rights and freedoms Within 72 hours (unless law enforcement requests delay) Notify individuals If likely to result in high risk to individual rights and freedoms Without undue delay Supervisory authority may instruct controller to notify individuals Exceptions: (1) unlikely to result in high risk ; (2) appropriate technical and organizational protection was in place (e.g., encryption); or (3) would involve disproportionate efforts

24 Data Breach Notification (cont.) Notify data controllers (applies to data processors) All breaches European Data Protection Board to issue guidelines Without undue delay after becoming aware of breach Information in breach notification Nature of the records and approximate number and categories of individuals affected Name and contact information for data protection officer or other contact point Likely consequences of breach Measures taken or to be taken to mitigate the breach Documentation by data controller Record of facts related to the breach, its effects, and the remedial measures taken Significant fines for non-compliance Fines of up to 10,000,000 or 2% of annual global turnover, whichever is higher

25 Risk Assessment

26 Risk Assessment NACUA webinar pointed out that enforcement happens when there is a breach or a complaint. To this end, AACRAO has initiated an informal working group with the goal of providing a risk assessment guide for AACRAO members and others in higher education Members of this group include : AACRAO, CASE, EDUCAUSE, Hogan Lovells, IES Abroad, Jenner & Block, NACUA, NAFSA, and National Student Clearinghouse AACRAO will continue to provide guidance on interpreting GDPR

27 Sample Situation #1 Applicant in EU applying to M.Y. University located in any place, U.S. We require the following items: transcript, application with personal info: including: date of birth, applicant and parents name, address, education history, test scores, extracurricular info, financial info, immigration info What do I need to do to insure that I am compliant in processing the data of the applicant? Are my responsibilities different for an admitted vs denied applicant?

28 Sample Situation #2 Our institution has current domestic students attending a branch campus in the EU is there a difference in how their data is handled while they are studying in Europe?

29 Sample Situation #3 We ask users of our website to agree to our terms before they proceed - is that not sufficient? Currently our system has a privacy notice that comes up and states that we use cookies. Is this sufficient for GDPR?

30 Sample Situation #4 At my University, IT handles these sorts of issues. I don t think there is any reason to spend my department s time and resources on this.

31 Sample Situation(s) #5 One of our students from EU country has been academically dismissed and is now asking to be forgotten. Are we required to comply?!? We had a data breach in 2014, and a student recently contacted us and requested that he be forgotten in our system. Does this come under GDPR? We have a student who has a large debt with our institution, which we have attempted to collect. They are stating their right to be forgotten and that we are not permitted to pursue payment. This isn t covered by GDPR, is it!?! We have an admission application for someone who applied to our institution 8 years ago, and is coming back to reapply. Currently we have those records, but is that still permissible under GDPR?

32 Sample Situation #6 My colleague at a small institution had a data breach last year and it was a nightmare for her. However, the GDPR s breach notification raised a few questions as well as a few hairs on the back of my neck! - 72 hours!! Does that means if we have a breach on Friday, we need to notify the administration, all students or just to the affected student? How? I don t want to create campus-wide panic, but want to be compliant? Is there any guidance?

33 Selected Resources Compliance General Data Protection Regulation How to Prepare UKFast Round Table: Three points on GDPR - Ardi Kolah at GDPR Conference Europe

34 AACRAO Webinars Join us for Webinar #3 on GDPR January 2018 (date TBD) Archived Webinars available at Thank You