by Mark Orchison, managing director, 9ine Consulting
Data protection law is changing on a global scale. Initiated in part by the General Data Protection Regulation (GDPR), a regulation in EU law on data protection and privacy for individuals within the European Union and the European Economic Area that also addresses the export of personal data outside the EU and EEA areas, countries and localities across the world have adapted, changed, or brought in new legislation to align their data protection requirements with those of the EU.
From Nigeria, which is drafting its “Data Protection Guidelines 2018,” to California, which is introducing the “California Consumer Privacy Act of 2018” (CCPA) on January 1, 2020, attention to these data protection measures is widespread. However, there is also enormous variation in the understanding, interpretation, and enforceability of the GDPR in countries and jurisdictions outside the EU, such as among the individual states in the U.S. Only this year, Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont, and Virginia have all passed laws varying or enhancing their data protection laws, mirroring some of the obligations of the GDPR.
Schools, particularly those not in the EU, face a challenge to determine whether the GDPR will change data protection law in their country/state of residence. Schools also face the burden of understanding how local laws might change to accommodate the GDPR, and if so, what mitigating actions would be required given the additional obligations reflected in the GDPR. School professionals working in admission and advancement are likely to be the first exposed to these changes.
Transferring Personal Data Out of Country or State
The GDPR and most other non-EU local interpretations require organizations to have protections in place when sending or receiving personal data, regardless of the sender or recipient’s location. For schools sharing information with another school or organization in the EU, this can be achieved through signing a contract which includes the relevant data protection terms, or through the signing of a data sharing agreement. Many schools, regardless of location, use cloud-based systems that can be located anywhere in the world. Where this is the case, the GDPR (and the majority of other lawful interpretations) obligates schools to ensure there are adequate protections in place when transferring personal data to an organization or cloud-based system in a third country outside the country/state from which it was originally collected or processed.
For schools to continue sharing personal information where these obligations exist (e.g., a student transferring from a school in one country/state to another), data sharing agreements (or something similar) should be in place. These agreements require the school with the lowest level of national/state data protection law to adhere to the same data handling standards as the school from which the personal data has been sent. A non-EU-based school receiving data from an EU-based school would agree to a number of the obligations of the GDPR by proxy, even though those laws may not be in place in its own jurisdiction. It should be noted that there are significant questions over the practicalities of enforcing the obligations of data sharing agreements across legislative borders.
Likewise, to be compliant with the law, businesses and not-forprofit organizations have amended their terms of business and contracts, placing contractual obligations on those with whom they do business to comply with changes in data protection law. It is therefore likely that schools in most countries/states will, by virtue of contract law, have agreed to more stringent obligations on how they process data, without necessarily recognizing that this is the case.
What is the Impact?
The impact for non-EU independent schools will be felt through the international transfer of data between organizations, the inclusion of clauses within service which obligate both parties, and the adoption by multinational businesses of standard data protection terms that follow the principles of the GDPR for all jurisdictions, including those not in the EU. For schools in the U.S., the changing nature of data protection law will be felt through the ripple effect of the GDPR and changing state law, such as that in California.
What Should You Not Do?
You should not assume that changes to data protection law, such as with the GDPR, do not and will not have an impact on your school. The transparent and wide-reaching nature of the regulation dictates that organizations must be methodical to understand how and where they are affected. The obligations placed on your school will become clearer over time. For schools, this will materialize through suppliers and cloud system vendors updating contract terms, or other schools refusing to share personal data with you unless your school agrees to a data sharing agreement (in which you confirm your school handles data in compliance with whichever party has the higher data protection law).
How to Prepare
There are three components for compliance: governance, data protection, and information/cyber security. Concurrent within each of these is the principle of “accountability.” This means organizations need to be able to evidence, with metrics, their level of confidence in compliance with data protection law. An ability to assess information and cyber security risks is critical for compliance with almost all variations of data protection law. In practice, this means school leadership must know how secure their IT systems and services are, how vulnerable they are to a cyber breach, and how susceptible the staff are to attacks, such as phishing campaigns.
What’s on the Horizon
Legislation is changing across the world to accommodate the GDPR. Some countries are enforcing the regulation word for word, while others are being less specific but still implementing its core principles. What is clear is that organizations in countries where data protection is weak must, by virtue of other means such as data sharing agreements and contracts, still comply.
Within the EU, there is a new kid on the block whose reach is even wider—the proposed E-Privacy Regulation. This regulation will apply to any organization with a website that enforces cookies on individuals who reside in the EU/European Economic Area (EEA), or undertakes digital marketing to people residing in the EU/EEA. Significantly, if you are a school in the U.S. with an employee who travels to the EU on business and visits the school website, they are considered to be in the EU and the E-Privacy Regulation will apply. Even if the GDPR doesn’t somehow apply to you, the E-Privacy Regulation most likely will.
Independent schools should stay abreast of changes to data protection law. Further, they should consider all areas of school practices that could be impacted by GDPR and by any changes made to laws in their own state or locality. They should also assess the security of their own IT systems and those provided by external vendors.