gdpr - what international educators need to know · educators need to know ... caroline donovan...
TRANSCRIPT
General Data Protection Regulation: What International Educators Need to Know
Wednesday, May 30, 2018
Jason Baumgartner, Director for Information Services, University of Indiana –Bloomington
Sandra Casey, Deputy Counsel, The State University of New York
Erica Lutes, Executive Director, Fulbright Commission, Belgium & Luxembourg
Caroline Donovan White, Senior Director, Education Abroad Services, NAFSA: Association of International Educators
2
Presenters
Overview Why should you care?
Risk Assessment
Case scenarios -Interactive discussion
Framing questions
How has your
institution prepared?
Q&A
3
Overview
4
Overview of GDPR
Overview of GDPR
5
General Data Protection Regulation (GDPR) was adopted by European Commission in order to strengthen and unify data protection for all individuals within the European Union
Came into effect on May 25, 2018
Key changes in GDPR include:• Extended jurisdiction with extra-territorial
applicability• Penalties for non-compliance• Stronger conditions for seeking informed,
explicit consent• Additional rights for data subjects, including
mandatory data breach notification, data erasure (“right to be forgotten”), and privacy by design
Key Terms
Personal Data
Sensitive Personal
Data
Data Controller
Data Processor
Data Subject
6
Key Terms
Fairness & Transparency
Purpose Limitation
Data Minimization Accuracy
Storage Limitation
Integrity & Confidentiality Accountability
7
Key Principles
Why should you care?
8
Risks
Fines
Breach notification
laws
Greater scope for actions
from individuals
Reputational harm
9
Risks of Non-Compliance
Risk Assessment
10
• Stakeholders• GDPR working
group
Who needs to
be involved?
• Identification of populations/units affected
• Existing policies
• Examine business processes
What does the group need to
consider?
Procedures/practices for compliance
Recom-mendations
• Strategies for rollout
• CostsImplement
ation
11
Risk Assessment and First Steps
Case Scenarios –Interactive Discussion
12
International Enrollment
Management (IEM)
Education Abroad (EA)
International Student & Scholar Services (ISSS)
13
Case Scenarios
A recruitment staff person employed by University X, solely established in Nebraska, attends a recruitment fair in Spain and collects information (inquiry cards) from attendees of the fair who express an interest in attending University X. Upon returning to University X, recruitment staff inputs data from the cards into the CRM, and University X uses that information for future outreach campaigns. Does your institution consider this area to be subject to GDPR? How does GDPR apply at your institution?
14
International Enrollment Management
University X student attends a study abroad or internship program in an EU country with a consortia arrangement with an EU School. Student attends for a semester, pays fees at home institution. EU school has final decision on admission. Student completes work in European, with student academic transmitted to University X. EU records are maintained at only as source documents. Does your institution consider this area to be subject to GDPR? What are the GDPR requirements, if any?
15
Education Abroad
Jose from Spain did not have a good semester as an F-1 student at University X. He withdraws from the University and returns to Spain. After a year, he emails the ISSS office to request that his record be erased as his GDPR right to be forgotten. As part of record keeping and compliance, ISSS reports required data to DHS’s Student and Exchange Visitor Program (SEVP) through SEVIS (Student and Exchange Visitor Information System). Does your institution consider this area to be subject to GDPR? How does GDPR apply at your institution?
16
International Student and Scholar Services
Framing Questions
17
Questions
What data do
we handle?
Where does it come from?
How is it being
processed?
Why is it being
collected?
How and where is
data stored?
Who has
access?
18
Framing Questions
How has your Institution prepared?
19
1. Raise awareness of GDPR within your organization by offering training sessions for staff, sending out webinars/presentations, etc. and appointing a data protection officer
2. Appoint DPO or allocate responsibilities for data protection issues within the organization
3. Create GDPR Compliance Program to keep track of your efforts ("gap analysis", to what extent is my organization compliant?)
4. Engage in data mapping to create data register that identifies the personal data you process (including the legal basis for this processing)
5. Contact service providers to update existing contract and undertake necessary IT measures (e.g., working with IT consultant to ensure password-protected computers, firewalls on WiFinetworks)
6. Create/update privacy notices, notifications, and consent forms and determine when and by whom these notices will be received and signed
20
Implementation
Case study:Fulbright commission in Brussels
Began working on GDPR with legal counsel in December 2017; several meetings in order for ED to understand ins/outs of GDPR compliance requirements and for lawyer to understand ins/outs of Fulbright Commission
Contacted contractors (e.g., accounting, IT) to update contracts and inquire about GDPR compliance in December 2017
Provided GDPR training to staff members in January 2018
Finalized data protection notice, guide, and consent forms and distributed them to staff and sub-processors in March 2018 (with deadline by which to sign and return)
Began distributing data protection notices to American and European Fulbright grantees along with (updated) Terms of Award in April 2018
EXAMPLE:FULBRIGHT BRUSSELS
Sample GDPR timeline:foreign students/scholarsWHEN WHAT WHO
December 1 Fulbright Commission downloads applications from Embark
Early December
Fulbright Commission sends confirmation email to every applicant, containing:• Confirmation that application is complete (or request for missing information)• Summary of application timeline• Data protection notice (signature not required at this time)
All applicants
Late January Fulbright Commission obliges all applicants invited to interview to sign additional consent form + data protection notice
Top‐ranked applicants invited for interview
Early March Fulbright Commission obliges all selected grantees to sign Fulbright Terms of Award + IIE Terms & Conditions All grantees
During/after Fulbright grant
Fulbright Commission updates consent form as needed for additional use of personal data (e.g., interviewing grantees for Fulbright YouTube Channel) Select grantees
EXAMPLE:FULBRIGHT BRUSSELS
Example: EU individual (physically located in the EU) applying to a United States institution to become a student in the United States.
1. Information Transmitted from EU resident to US institution – i.e., application for admission (student physically in the EU)
2. Information Gathered from EU resident while a student at institution (student physically in the US)
3. Information Gathered or Retained from EU resident after termination of association with US institution– e.g., alumni activities, job placement assistance (student physically in the EU)
Generally, buckets 1 and 3 are covered by GDPR but bucket 2 is not, unless data bleeds over into bucket 3.
*** Even if data is protected by GDPR, the data subject does not have a right to request to remove data that is maintained for a business necessity.
23
Buckets of Data and Effect of GDPR
When consent is needed?
Notice & consent may be warranted under the GDPR for such items as:
In-person recruitment events
Targeted online recruitment activity
Some schools are including consent at the point of application
If you are considering a consent statement we recommend:
Making sure the data is subject to GDPR and no other “lawful basis” exists for processing the data
Verify the need and language with your legal counsel for any consent notice
24
Consent
Q&A
25
NAFSA: www.nafsa.org/gdpr, includes link to the AACRAO, NACAC, NACUA AACRAO, NACAC, NACUA et al new resource: Interassociational Guide: Implications of the General Data Protection Regulation.
Articles and Recitals of the EU GDPR https://gdpr-info.eu/
AACRAO http://www.aacrao.org/resources/trending-topics/gdpr
CASE
• Currents article on GDPR considerations for advancement offices http://www.case.org/currents/the-key-to-understanding-gdpr?_zl=CmrL4&_zs=HqSME1
• GDPR Resource page (CASE member login required) www.case.org/gdpr
EDUCAUSE
• All EDUCAUSE GDPR resources and links to other helpful resources can be found here:https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr (keep scrolling on the page for all relevant resources)
• Article by EDUCAUSE’s Joanna Grama for College and University Professional Association for Human Resources on the GDPR https://www.cupahr.org/data-privacy-gdpr/
26
Resources
Jason Baumgartner ([email protected])
Sandra Casey ([email protected])
Erica Lutes ([email protected])
Caroline Donovan White ([email protected])
27
Thanks again to our presenters!
28
Please complete
this session evaluation
NOW!Or FAVORITE nowand EVALUATE later!