AACRAO has released an interassociational guide discussion draft entitled "Implication of the General Data Protection Regulation" for member review and comment.
The General Data Protection Regulation (GDPR), adopted by the European Parliament in 2016, specifies how consumer data of citizens in the European Union (EU) should be used and protected. Effective May 2018, the new law stems from the growing need to protect data and individual privacy rights as highly sensitive personal information becomes increasingly digitized.
GDPR applies to all institutions involved in processing data about citizens in the EU, regardless of whether the organization is located within the EU. As such, the GDPR would likely apply to most, if not all, U.S. higher education institutions. Failure to comply could lead to fines of up to €20 Million or 4 percent of global turnover.
To provide background, an explanation of the law's provisions, a foundation for conducting risk assessments, and generally assist institutions in preparing their responses to the new rule, AACRAO has drafted a document to examine information-processing scenarios to test the GDPR provisions in a higher education context, and to discuss roles, considerations, and potential institutional responses to those provisions.