You have /5 articles left.
Sign up for a free account or log in.

DENVER -- American colleges and universities that have yet to figure out a plan to comply with the European Union’s General Data Protection Regulation still have time to act, attendees at Educause's annual conference heard Wednesday.

Speaking at a conference session called GDPR: Where Are We Now? Esteban Morin, a lawyer at Brownstein Hyatt Farber Schreck, told university IT leaders to “not panic” if they are just starting to develop a plan to ensure their institution is compliant with the E.U. data protection and privacy rules.

The GDPR went into effect on May 25 this year, but many higher ed institutions (and companies) are still at the beginning of their compliance journeys, said Morin. “There’s been a lot of confusion,” he said. “We know the GDPR has been incredibly overwhelming.”

Organizations in the U.S., including colleges and universities, are subject to GDPR if they handle data relating to people in Europe. Failure to comply with the rules can result in deep fines. But so far enforcement of the rules by data protection authorities in E.U. member states is yet to ramp up, said Morin.

“Government officials tasked with enforcing this are still figuring out what their enforcement strategy is going to be,” said Morin. “As we’re all struggling here -- the people enforcing the rules are struggling, too.”

Though no U.S. university has yet been fined, institutions should not be complacent about taking steps to come into compliance with GDPR, said Morin. There has recently been “a real hiring spree” of staff in the E.U. who will review GDPR complaints, he said. “Enforcement is coming in the next few years.”

Heidi Wachs, vice president of Stroz Friedberg, a company that helps organizations respond to data breaches and cybersecurity issues, said that there was an assumption that American tech companies like Google or Facebook “would have a bull's-eye on their back” when the GDPR came into effect. “None of that has come to fruition,” she said. “We thought we would have a lot more to talk about.”

Brian Markham, assistant vice president of information security and compliance services at George Washington University, urged attendees to think about their GDPR plan, “not just as a compliance journey,” but as an opportunity to take a deep look at data security and privacy practices at their institutions. The process is not easy, but it is "good business," said Markham.

As part of preparing for GDPR, Markham helped to perform an audit of all the data on students his institution collects, stores and shares. The process was valuable -- “we found websites that we didn’t even know existed,” he said.

One of the tenets of the GDPR is that organizations should seek to minimize the data they collect -- a principle Markham took to heart. Why collect data that you don’t need? Historically the U.S. is “horrible” at data minimization, said Wachs. “We have the mentality that it’s good to collect as much as possible.”

Markham said that George Washington was holding on to student data for seven years under the mistaken belief that it was a legal requirement, “but when you asked people ‘which law?’ they didn’t know,” said Markham. “Don’t be afraid to delete data. It will save you a lot of effort down the road.”

Under the GDPR, E.U. residents have the “right to be forgotten” -- which means they can request that organizations delete their data. Sometimes these requests may conflict with federal or state laws that require universities and colleges to store data for certain periods of time. Though this issue is “not tested yet,” Morin said that colleges should not be afraid to say no to requests to delete data under the GDPR.

U.S. institutions should do their best to abide by the GDPR, but they also have a duty to follow domestic laws, said Morin. “Remember that a domestic enforcement agency is much more likely to come after you than the other way around,” said Wachs.

Wachs warned that institutions should be careful to verify requests to supply or delete information. Several institutions have already encountered third parties claiming to represent individuals that want to exercise their GDPR rights, she said. “The institutions pushed back and asked them for proof they were representing who they said they were -- none of them were able to supply that information.”

These third parties could have been criminals looking for personal information, said Markham.

“Think carefully about how the data you release could be used,” he said.