Online: Trending Now

Online: Trending Now #131

The General Data Protection Regulation of the European Union is going into effect on May 25.  If you are not aware of GDPR, now is the time to get up to speed on this European Union policy that may reshape data privacy and security around the world. The EU has greatly expanded the privacy rights of their citizens and put tighter controls on what data may be retained and used. And, that, of course impacts universities who have EU citizens as students, particularly distance learning programs:

It is tempting to believe that American institutions that enroll EU residents in the US are entirely exempt from compliance with the GDPR. This would certainly be true for EU residents who initiate their admission application process from outside the EU, but most EU applicants start the admissions process from their home countries and obtain visas to enter the US after gaining admission to eligible programs. In theory, active student recruitment campaigns targeting EU residents could subject the data collected from such students, whether via automated or non-automated means, to compliance requirements under the GDPR…. The GDPR took years to be adopted, and it is safe to assume that it will take years before its real impact and practical compliance requirements become fully settled.

So, what should you have done by now.  The UK Training Journal sets out a process for preparing for the May 25^thdate:

• Audit your existing data. What current data do you hold? From names and email addresses, to health information or web browsing information, know what you’re working with.
• Map the existing flow of personal data through supply chains. Know where data is going and how it’s being dealt with.
• Hire a data protection officer. If you process data on a large scale or have more than 250 employees, you’re going to need one.
• Create a GDPR team. Include individuals with IT and legal expertise, and a representative from every team that handles data.
• Carry out gap analysis. Look at where the problem areas are and how you can fix them to become GDPR compliant.
• Invest and prioritise. Being GDPR compliant is a business cost, plain and simple.
• Document everything. Aside from being compliant, you need to prove you are compliant. Keep records of when data was gathered and how explicit consent was given.
• Be prepared for a breach. Under GDPR all business are required to report a data breach within 72 hours of becoming aware of one. Be aware of the effect a data breach could have on your customers and your business, and understand the impact of a breach before it even happens with regular data privacy impact assessments. Get a crisis plan in place now.   

Webster University has prepared a succinct graphic to help staff step through a data privacy assurance process when the GDPR is in force. It may be up to you to create awareness across your campus of the new requirements.  Some institutions are considering implementing the GDPR standards for all students and employees rather than segment populations for special treatment.  In any case, it is in the best interests of all if word is spread about the requirements of the new rules.

For further information, EDUCAUSE has created a meta-site on GDPR. 

Of course, I will continue to track the developments in MOOCs, emerging trends, technologies, pedagogies and practices in continuing and professional higher education and share them with you through Professional, Continuing and Online Education Update blog by UPCEA. You can have the updates sent directly to your email each morning  – no advertising, no spam!

Best,
 
Ray Schroeder
Director
National Council for Online Education