FPF Releases New Report on GDPR Guidance for US Higher Education Institutions
Today, FPF released The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions by Senior Counsel Dr. Gabriela Zanfir-Fortuna. The new report contains analysis and guidance to assist United States-based higher education institutions and their edtech service providers in assessing their compliance with the European Union’s General Data Protection Regulation (GDPR).
The GDPR, which went into effect two years ago this week on May 25, 2018, grants individuals’ certain rights to control how their personal data is collected and used, and imposes steep penalties on organizations found to be noncompliant. When the GDPR came into effect, there was limited guidance and decisions available to help US higher education institutions and edtech companies in understanding their obligations. Now, two years into the regulation’s implementation, there is significant guidance that can be analyzed and applied. The law applies to most U.S.-based higher education and edtech companies, as these have some type of interaction with EU residents, whether students, faculty, alumni, or through study abroad programs or other initiatives.
“With this report, we hope to support higher education institutions and edtech companies to solidify trust in the way they are handling personal data of students, prospective students, and faculty, by implementing data practices that fully take into account privacy and data protection requirements”, said Dr. Zanfir-Fortuna, the author of the report, who is Senior Counsel for the Future of Privacy Forum.
Dr. Zanfir-Fortuna has written extensively about GDPR, including in two blog posts from fall 2019, “10 Reasons Why the GDPR is the Opposite of a Notice and Consent Type of Law,” and “Key Findings from the Latest Right to Be Forgotten Cases” as well as an in-depth report, produced by FPF in partnership with Nymity, on the use of “legitimate interests” as a lawful ground for data processing under GDPR. She is also a co-author of the GDPR Commentary published this year by Oxford University Press. Additionally, FPF published a comparison of the key differences between GDPR and the California Consumer Privacy Act (CCPA) to support organizations navigating compliance with both laws.
Amelia Vance, FPF’s Director of Youth & Education Privacy, cautioned that many U.S.-based institutions remain unprepared, despite the high stakes.
“As higher education institutions around the country navigate this unprecedented time, including a rapid transition to online learning and administration, it is critical to remain vigilant about data protection and privacy requirements,” said Vance. “An effective compliance program requires continuous attention and evolution. The consequences of losing sight of that now – potentially millions of dollars under GDPR – are significant, even during these uncertain times.”
The report includes a 10-step checklist with instructions for executing an effective GDPR compliance program. It is designed to assist both organizations with established compliance programs seeking to update or refresh their understanding of their obligations under GDPR, as well as those that are still in the process of creating or sustaining a compliance structure and seeking more in-depth guidance.
The Future of Privacy Forum (FPF) is a Washington, DC-based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts and includes an advisory board comprised of leading figures from industry, academia, law, and advocacy groups. For more information, visit www.fpf.org.