I am having a hard time finding any definitive answers about how or if GDPR will affect United States School Districts, and I'm hoping this group can shed some light on the matter.
My understanding is that any business that is in the European Union, or who does business with the EU will need to ensure their compliance with GDPR. Although we do not do business with the EU, it is possible that we have students who have EU citizenships, whether they are exchange students or living over here with a visa. Can somebody please let me know your understanding of what US School districts need to do (if anything) to ensure compliance with GDPR.
Hi,"The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location." I take this to mean that if my school provides its service to citizens of the EU and we collect data about these citizens we must comply with the rules of GDPR. EU GDPR Information PortalThe basic practices listed here are good practices for data security generally, There was a nice summary on Educause:
The European Union set an effective date of May 25, 2018, for the General Data Protection Regulation, which replaces its Data Protection Directive of 1995 and significantly expands personal privacy rights for EU residents.
Not only is the GDPR more enforceable compared to the DPD, it applies to entities with no physical EU presence if they control or process covered personal information of EU residents.
US institutions with EU-based operations or significant numbers of EU residents as students - particularly those delivering distance education programs to such students within the EU - should be in the final stages of implementing GDPR-compliant practices now.
Also, a good checklist is offered here: https://www.ngdata.com/wp-content/uploads/2018/01/GDPR-Compliance-Checklist.pdfI hope you find this helpful,Lisa Fusco
Here are some great resources on GDPR and how it impacts schools
Please feel free to let me know if you have any questions,
Principal Security Architect / Principal Enterprise Architect, CISSP®
What Does the GDPR Mean for Education?
Institutions of higher education will likely be more impacted than K-12, but that's not to say that districts couldn't ever engage with the EU and be subject to the newly updated law.
The GDPR makes clear that residents of the EU should not be denied any privacy protection regardless of where a business is physically located. This is big for anyone who has a website that solicits business globally, and also has implications for research. As higher education institutions look to do global studies, they must ensure that all practices are in compliance with the GDPR.
According to Educause, "The GDPR will most likely apply to U.S.-based organizations due to the broad language contained in the GDPR that focuses on where the data subject resides rather than where the organization is incorporated."
The consent piece is also something universities that plan to conduct work on subjects residing in the EU must consider. Often, privacy wrap agreements are a boiler-plate used no matter where the user is engaging with a product. If a product or service is being used or subscribed to in the EU, a university must ensure that all the legalese is changed to common terms the user can easily understand.
Melissa Tebbenkamp, CETL | Director of Instructional Technology | Raytown Quality Schools
Raytown Schools Education & Conference Center | 10750 E. 350 Hwy | Raytown, MO 64138
O: 816-268-7122 | F: 816-268-7129 | email@example.com
Expect the Exceptional
To add to the mix, here are some helpful resources:
1. https://www.eugdpr.org/ - Not an official source, but a place where you can find easy access to a copy of the regulation.
2. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - The UK Information Commissioner's Office. One of the first authorities to issue guidance on the GDPR, and still the most comprehensive and, perhaps most importantly, the most accurate. They also have some decent, if high level self-assessment tools.
As a reminder, GDPR applies to processing of personal data of data subjects (aka people) who are in the EU, regardless of where the processing takes place. "Personal data" is defined quite broadly, as "information relating to an identified or identifiable natural person ("data subject")."If you haven't started your GDPR preparations yet, here are my tips for all organizations at this stage.
For school districts that have nothing to do with GPDR or the EU, are we going to have to worry about it in the future?
Every now and then individuals DO visit our website or youtube channel, but that is a different item isn't it?
Evergreen School District #50
Kalispell, Montana 59901
406.751.1111 district offices
No trees were harmed in sending this message.
However, a rather large number of electrons were somewhat inconvenienced.
This e-mail and any attachment may contain information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorized to read, copy, or use this e-mail or any attachment. If you have received this e-mail in error, please destroy it and notify the sender by return e-mail.
The bad news is yes it looks like US k-12 schools would be in scope, the good news is no one is completely clear on how it would be enforced.
But it is for all intents and purposes it's a global law so it could be enforced under international law precedent (the article I included speaks to that in some depth)
This may help to clarify I have included an excerpt from the article, the link to the full article below.
Hopefully this information is helpful in answering your question,
(Think Exchange students, dual citizen employees and contractors when thinking about the scope for K-12)
Applicability: Does the GDPR Apply to You?
Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the scope and location of business activity The GDPR will apply to the processing of personal data by businesses "established" within the EU. More controversially, it also will apply to businesses outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals' behavior. This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law.
1. Article 3(1): "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."