Making Sense of GDPR

 

If you haven’t heard about GDPR (General Data Protection Regulation) the EU’s new standard for privacy protection on the web, you will. In this guest blog post, Brent LaRowe, Registrar at the University of Chicago Laboratory Schools (IL), provides some helpful advice on how the new rules may -- or may not -- apply to independent schools. In this adjustment period, LaRowe suggest that schools “expand on some existing good practices in order to meet a basic level of compliance.” -- SD

[15-minute read]

December 2016: You’ve caught wind of a sweeping data law, General Data Protection Regulation (or GDPR), passed in the European Union, guaranteeing a person’s “right to be forgotten.” There’s a little news buzz. From time to time, you notice another article rehashing effectively the same points, and you put any concerns on your back burner. You’re not in the EU, after all.

March 2018: You’ve attended a half-dozen webinars on GDPR, read fifty articles, chatted with a dozen colleagues, and you’re still not sure about things. Does GDPR affect your school? You keep thinking that it might. What does that mean? Compliance includes getting affirmative consent and allowing revocation and appointing a data officer and reporting breaches within 72 hours…. The entirety is overwhelming. You’re feeling a vague level of panic. After all, you are a technology leader at an independent school, and you’re supposed to have the answers on this.

If this sounds familiar, you are far from alone. Only a quarter of U.S. organizations (and fewer than half of EU organizations) were compliant with GDPR in early May 2018, mere weeks before the regulations took effect. In my conversations with my school’s legal counsel, it has become evident that there’s a lot of “wait and see” out there. We all want to see some clearer examples of violations. Obviously, if your business is collecting information on people who live in the EU, you are on the alert because you know this applies to you. But there are a lot of us on the fringes, and there are no bright lines. For people who like boolean statements, it’s crazy-making.

Does GDPR apply to me?

For my school, the Laboratory Schools, we would obviously have to be compliant, and for the most straightforward of reasons: admissions.  We’re affiliated with the University of Chicago, which recruits faculty from around the globe. As a result, those faculty families become interested in having their children attend our school. We’re waist-deep in personally identifiable information from EU residents, and we absolutely use that information in the scope of our work.

The scene gets murkier for other work that we do. Under current definitions, GDPR applies if the “data subject” — that is, a naturally born person — is in the EU at the time of collecting data. It doesn’t specify for how long, just that the person is there. We often have families who visit EU member states during our back-to-school process, and they’re submitting personal information to us at that time. Our legal counsel isn’t convinced that such tangential contact with the existing definitions would make an otherwise exempt organization suddenly subject to GDPR, but there are others who argue that it applies. Only time (and lawsuits) will tell.

Fine, it applies. What do I do now?

At the Chicago Lab Schools, we’ve decided to expand on some existing good practices in order to meet a basic level of compliance. Having long valued the trust families place in us, we’ve employed dedicated stewards of their sensitive information for a very long time. Some organizations might be afraid to reveal what they do with information, but we are not. “Don’t be evil” might be a bit of a joke anymore, but I think that’s a central tenant to guide you through GDPR compliance. If you are already not-evil, you’re 90% of the way there.

What are my next steps?

1. Write out what kind of data you collect, why you collect it, and how it’s used. Be broad and make your notes easy to understand. Check your information internally, and prepare to make it public. This is our current public statement, soon available on our website, about what kinds of data we collect and why:

Lab collects a variety of contact information to communicate with our families, demographic information in order to best serve our community, academic information which is central to our work, health information to comply with state law and to serve our students, and financial information in order to fulfill our business obligations.

2. Give families a channel to talk about this stuff. That channel can serve as your method to allow revocation of permission, to request a review of the information, to request deletion of the information, as well as to cover other obligations that you already have under FERPA and state law. Our public statement on our website continues:

Families have a right to review nearly all the information described above, and to obtain much of it. Those rights are defined by the Family Educational Rights and Privacy Act (“FERPA”), the Child Online Privacy Protection Act (“COPPA”), the Illinois Personal Information Protection Act (“PIPA”), and in some cases, the General Data Protection Regulation (“GDPR”). If you wish to review or remove information that Lab collects, please email the Registrar, who serves as our data officer.

In that same paragraph we also name a data officer. You probably already have someone who is explicitly in charge of the information your school uses, and that’s your data officer. Also, nowhere in the GDPR material does it say that you must immediately do what the parent asks. If a parent requests to review, modify, or delete information, my plan is to engage our legal counsel first. We will be working toward fulfilling the request swiftly, but there may be information that is central to our work which will not be modified or deleted. I won’t know for sure until I speak with our attorneys.

3. In every form your school controls, new and old, start adding an explicit permission statement that a parent must check allowing you to collect the information. And on that form, tell parents whom they should contact in order to revoke permission. Again, this step initiates a conversation rather than provokes stress about immediate action. You may end up complying fully, but you should have a conversation with your legal counsel first.

4. Take some time to evaluate your current staff training program around information security. Perform that audit you’ve been meaning to do, deploy that phishing test, roll out two-factor authentication, schedule training around identity issues. GDPR requires that holders of information take the security seriously, and you’re already thinking along those lines. It’s time to get everyone else thinking about it, too.

5. Schedule time to review all of your efforts in six months, then again. GDPR compliance will take more solid shape as time goes on and clarifications are made. Plan on continuing conversations about GDPR with your legal counsel and your tech colleagues. Don’t assume you have to get this 100% right the first time. Instead, give it your level best now, and commit to improving your school’s responses.

How important is GDPR?

Make no mistake, GDPR changes the landscape significantly! Thankfully, the changes are intended to keep people in control of their information while providing breathing room for organizations to do their work. Since schools retain information on some of our most vulnerable community members, we’ve been working along these lines in one form or another anyhow. Codify what you’ve got, make a few tweeks, commit to re-evaluate, and you’re pretty much home free!

After you talk with your lawyer.


 Additional Resources for Schools

The GDPR Checklist

GDPR - The Basics

GDPR Fundamentals

Beginner’s Guide to GDPR (written for ad agencies, however the themes and examples proved helpful to me)

Analysis of the definition of “resident” for GDPR compliance

Share this post:

Comments on "Making Sense of GDPR"

Comments 0-5 of 0

Please login to comment