Have you heard of the General Data Protection Regulation (GDPR) passed by the European Union Parliament? Since most of our readers are in North America, there is a chance that if you did hear about it, you figured it didn't apply to you.
Well, that may not be accurate.
If you have conference guests or students from an EU country, this regulation could apply to you.
With clients spanning the globe, this is a topic we have watched closely because of what it means for our clients. We have worked to learn all we can to share the impact it has on you.
So, let's start at the beginning.
What is the EU GDPR?
It is an extension of an existing data privacy regulation. The basic premise of the new regulation, taking effect May 25, 2018, is that it provides additional protection for EU citizens against any organization who stores their personal data.
What does this mean?
Any citizen of the EU can request the deletion or anonymization of any personal data stored about them by a company.
Personal data refers to “any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
With respect to minors, it states “parental consent will be required to process the personal data of children under the age of 16 for online services.”
The regulation also states that an EU citizen can request, at any time, a printed report of all personal data held about them by an organization.
Lastly, the regulation has a “Need to Consent” provision whereby on any website used to collect personal data, there must be a clear option for the user to consent to the collection and store of their personal data. This cannot be in the Terms and Conditions or a footer on your page. It must be a clearly defined element that requires a user response.
What is “Consent?”
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-checked boxes or inactivity.
Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.
Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data. Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organization’s or a third party’s legitimate interests.
You are not required to automatically "repaper" or refresh all existing data protection consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
Who does this affect?
If your department processes personal data about any EU citizen, you are subject to complying with this regulation, regardless of where you are located.
For conference services teams, this means any client who is an EU citizen as well as any attendee who is an EU citizen. For student housing departments, this means your resident students.
If any of the above applies to you, then you need to understand what is required by this regulation and what you can do to prepare for compliance.
Fines for failure to comply come with a very hefty price tag: €20 million or 4% of the university’s annual global turnover for the preceding financial year, whichever is greater.
How can you prepare?
- First, talk to your campus legal team. While we are sharing this information based on our experience, we are not legal experts, so it is best to review your business processes with them to determine what is affected.
- Second, do a data mining exercise. What kind of data do you currently capture about your clients/guests/students? Where is this stored? Is any of it printed on reports? Printed reports need to be disposed of properly to be compliant.
- Third, determine if there is a different way to collect and store the data that will lend itself to a faster resolution should you find yourself being asked by an EU citizen for the printed report or to purge their data.
- Fourth, if you have any type of e-commerce website that may be used by an EU citizen, you will need to add the "Need to Consent" element to it.
- Lastly, if you use a commercial software, talk with your software provider to find out if they have any tools in place that will help you come closer to compliance with minimal manual intervention. Under the GDPR, providers have a general obligation to implement technical measures to show they have considered and integrated data protection into their software. As such, new systems will always use a "privacy by design" methodology.
For Kinetic Software Customers
Our new product, KxArchiver, can help you come closer to compliancy. We will be providing customers with videos to review the regulation in more detail and to inform you how KxArchiver can assist you in the process.
With less than a year to prepare, now is the time for you to be learning as much as you can about the new EU GDPR and form a plan for how you will ensure compliance within your department.
Under the GDPR, a company must appoint a data protection officer (DPO). Consult your legal team to learn if a DPO is required for your organization as well as to learn more about the exact steps you will need and approval you may need for any plans you make moving forward.