Trending Topic

EU's General Data Protection Regulation (GDPR)

As records become increasingly digitized, many institutions hold highly sensitive personal information on their students, employees, and other individuals in digital form. As such, the need to protect data and privacy rights of individual is pressing. General Data Protection Regulation (GDPR) was introduced to specify how consumer data of citizens in the EU should be used and protected. 
GDPR Explained in Three Minutes
Five Important Aspects of GDPR

For More Information


Join the email list Contact AACRAO

Topic Contributors

Bret Cohen
Hogan Lovells

Mary Chapin
National Student Clearinghouse

Brian Flahaven

Julia Funaki

Joanna Grama

David Hawkins
National Association for College Admission Counseling

Clay Hensley
The College Board

Tracy Locklin
National Student Clearinghouse

Mark McConahay
Indiana University - Bloomington

Kristen Meeks

Joann Ng Hartmann

LeRoy Rooker

Heidi Wachs
Jenner & Block


GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. This regulation replaces Directive 95/46/EC.

Enforcement Date: May 25, 2018

Adopted by the European Parliament in April 2016, GDPR will be enforceable in May 2018. Depending on the article violation, non-compliant institutions face fines either
1) €10 Million or 2 percent of global turnover, whichever is higher
2) €20 Million or 4 percent of global turnover, whichever is higher


  • Julia Funaki, Associate Director, AACRAO International highlights the campus coordination required to become GDPR compliant in Inside Higher Ed articleposted 3/13/2018
  • AACRAO's FAQ on GDPR. posted 1/22/2018
  • Daniel J. Solove shares resources on GDPR. posted 11/29/2017
    • GDPR Whiteboard infographic explaining GDPR
    • Guide to train staff on GDPR
    • Beyond GDPR: The Challenge of Global Privacy Compliance - An Interview with Lothar Determann

  • Inside Higher Ed article on GDPR states "[Institutions] will now also need to think about protecting people’s IP addresses. Any unique identifiers assigned to people or their electronic devices by institutions, such as in the admissions process, will also need to be protected under the GDPR." posted 11/6/2017
  • Hogan Lovells' GDPRnow app provides companies with assistance to identify practical steps to comply with the new framework. posted 10/27/2017

  • Educause library on GDPR posted 10/27/2017
  • Opinion piece from the Article 29 Working Party, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The European Data Protection Board (EDPB) will replace the Article 29 Working Party under GDPR. posted 10/27/2017

  • The General Date Protection Regulation Explained posted 8/31/2017

  • GDPR and Blockchain posted 8/8/2017

  • EU's GDPR FAQs

  • Hogan Lovells' guide to preparing for gdpr

  • TrustMarque infographic checklist on GDPR

  • Preparing for the EU GDPR, TrustMarque Whitepaper
Last updated 5/15/2018