GDPR – The Impact on US Public Universities

With the advent of a digital platform, comes the data security issues. The social media platforms along with other media sources are strewn with data breach horror stories, the most recent being Facebook who confirmed sharing sensitive and personal information of its patrons with the data firm Cambridge Analytica for a whopping amount.
As the race to streamlining and implementing compliance regulations hots up, it’s imperative to ascertain the material and territorial scope of the compliance regulations in place along with what constitutes personal data under their preamble.
GDPR or General Data protection regulation is a harmonized data protection law implemented across the EU in May 2018 to monitor how the personal data of any individual or entity located within EU, is shared. In the same vein, US has two blanket federal laws that govern the privacy of the country, FERPA (Family Educational Rights and Privacy Act) and ESRA (Education Sciences Reform Act). The scope of FERPA pertains to the data used in the classroom whereas ESRA governs the research use of the data. Although they have been implemented for a while now, they haven’t been reauthorized for many years and by many in the field of data security, are considered out of date for the technologies that are in use nowadays.
Now the pertinent question that arises is whether the varsities in the US are GDPR compliant. The truth is far from it as the scope and parameters of the two data protection laws are quite different. In FERPA the personal data definition also known as directory information encompasses a completely different set of information compared to what is covered under GDPR. For Instance, grades, gender, religion, race, GPA are not considered directory information within the FERPA preamble whereas all these parameters are considered sensitive in the GDPR framework.
The rules of GDPR will come into effect in mostly all the US universities due to the many exchange student programs and students from EU taking up the myriad courses. The EU’s GDPR will impact all the US colleges and universities that process data relating to students from Europe. The failure of non-compliance comes with a heavy penalty; therefore, institutions should be ready with rules in place to protect information of students or professors in the EU, regardless of their residency status. The requirements would also apply to faculty and students who communicate with campuses while in Europe.
In addition to this, the universities should be able to understand the scope of GDPR, as to what and where the data to hold along with having a compliance check in place for any third-party vendors who maintain data security etc. for them. The right to be forgotten is a key feature of GDPR which must be adhered to and the institutions should be able to accommodate the request to erase the data of EU students and ensure any third party processors also adhere to it, with any data breaches promptly reported.



Leave a Reply

nineteen − 10 =