EU's General Data Protection Regulation (GDPR)

As records become increasingly digitized, many institutions hold highly sensitive personal information on their students, employees, and other individuals in digital form. As such, the need to protect data and privacy rights of individual is pressing. General Data Protection Regulation (GDPR) was introduced to specify how consumer data of citizens in the EU should be used and protected. 

Who is affected?

GDPR applies to all institutions involved in processing data about citizens in the EU, regardless of whether the organization is located within the EU. This regulation replaces Directive 95/46/EC.

Enforcement Date: May 25, 2018

Adopted by the European Parliament in April 2016, GDPR will be enforceable in May 2018. Depending on the article violation, non-compliant institutions face fines either
1) €10 Million or 2 percent of global turnover, whichever is higher
2) €20 Million or 4 percent of global turnover, whichever is higher

GDPR explained in 3 minutes

Five important aspects of GDPR



on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Topic Contributors

Bret Cohen
Hogan Lovells

Mary Chapin
National Student Clearinghouse

Brian Flahaven

Julia Funaki

Joanna Grama

David Hawkins
National Association for College Admission Counseling

Clay Hensley
The College Board

Tracy Locklin
National Student Clearinghouse

Mark McConahay
Indiana University - Bloomington

Kristen Meeks

Joann Ng Hartmann

LeRoy Rooker

Heidi Wachs
Jenner & Block


  • Julia Funaki, Associate Director, AACRAO International highlights the campus coordination requiredto become GDPR compliant in Inside Higher Ed article. posted 3/13/2018
  • AACRAO's FAQ on GDPR. posted 1/22/2018
  • Daniel J. Solove shares resources on GDPR. posted 11/29/2017

GDPR Whiteboard infographic explaining GDPR
Guide to train staff on GDPR
Beyond GDPR: The Challenge of Global Privacy Compliance - An Interview with Lothar Determann

  • Inside Higher Ed article on GDPR states "[Institutions] will now also need to think about protecting people’s IP addresses. Any unique identifiers assigned to people or their electronic devices by institutions, such as in the admissions process, will also need to be protected under the GDPR." posted 11/6/2017
  • Hogan Lovells' GDPRnow app provides companies with assistance to identify practical steps to comply with the new framework posted 10/27/2017
  • Educause library on GDPR posted 10/27/2017
  • Opinion piece from the Article 29 Working Party, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The European Data Protection Board (EDPB) will replace the Article 29 Working Party under GDPR. posted 10/27/2017
  • The General Date Protection Regulation Explained posted 8/31/2017
  • GDPR and Blockchain posted 8/8/2017
  • EU's GDPR FAQs
  • Hogan Lovells' guide to preparing for GDPR
  • TrustMarque infographic checklist on GDPR
  • Preparing for the EU GDPR, TrustMarque Whitepaper

AACRAO Activities

GDPR: Step-by-Step Preparation
View Archive

27 - AACRAO Annual Meeting Session Description
25 - Enforcement begins

26 - Building Awareness of the EU's GDPR, a Discussion Webinar
View Archive
24 - National Association of College and University Attorneys (NACUA) Webinar
Purchase Recording
Last updated 3/13/2018