GDPR And Your School
GDPR, the General Data Protection Regulation, is the a set of guidelines that went into effect on May 25, 2018. It dictates how individuals, companies, and schools may acquire, utilize, store, and delete the personal data of European Union (EU) users.
These regulations cover both on-line and internal data processing systems.
You'll find information here on explaining GDPR and how it affects your school and classroom, how it's enforced, and what you can do to make your web site(s) and internal systems GDPR complaint.
Here's a good explanation of how the GDPR views personal data vs. how companies & schools have traditionally thought of personal data. From the article...
First, we need to get used to the term "personal data" instead of "PII" (personally identifiable information). Personal data is much broader than PII — it applies to anything that can be used to identify a person.
Next, it's important to flip the view you might have of personal data the company collects as belonging to the company. Instead think of it as belonging to the person it identifies. The consumer [or visitor] is, you might say, giving us a license to use their personal data. You may then be ready to try to grasp a core value of the GDPR: "Natural persons should have control over their own personal data."
This reflects a key public policy that data belongs to the person it identifies, and that the person has a right to control how it is processed. This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.
This article posits that both K-12 and higher education institutions across the United States should be prepared for GDPR — the European Union's new General Data Protection Regulation — which went into effect May 25.
Many U.S. educators and administrators don't think GDPR affects them because they live outside Europe. However, any time an educator communicates with someone living in an EU member country — think a high school exchange student — GDPR applies, to both their on-line and internal data processing systems.
The article includes a list of the typical steps in developing an effective data protection program.
This post by Punit Bhatia details the eight data subject rights defined in the GDPR.
They are the ...
- right to information
- right to access
- right to rectification
- right to withdraw consent
- right to object
- right to object to automated processing
- right to be forgotten
- right for data portability
GDPR features & 5 steps to compliance
This video gives a quick 3 minute overview to what the GDPR is and why it's a good thing for consumers, and 5 things to consider to become GDPR compliant.
- YouTube URL
Which persons are covered under the GDPR?
The GDPR rules apply to everyone who interacts with or has data stored on your web sites or internal systems.
This includes current and former students, parents, teachers, staff, administrators, outside vendors and contractors. The GDPR rules apply to everyone.
Here's another look at the GDPR and how it applies to schools in the US and Canada.
The GDPR may apply to schools in two ways. First, some schools may have enough presence in the EU such that the law would consider the school "established" in the EU and therefore subject to its regulations. Second, GDPR applies to organizations that either "control" (i.e. collect) personal data from EU residents, or "process" (i.e. store, utilize) that data on behalf of a data controller such as a cloud service provider.
Use their checklists to see how the GDPR may apply to your school.
This post includes general information for how the GDPR affects small websites and the steps needed to stay compliant. While some of the suggestions are specific to WordPress, most of the information can be applied to any school or personal web site.
While this article is on the technical side, it lays out a number of steps you or your school IT people can take ahead of time to be prepared for a data breach.
Think you don't need a plan? What happens when some student gets into the school systems and changes everyone's grade?
Data breaches can happen to any school. Having a plan in place is worth it, no matter where you're located.
This article looks at the GDPR and answers the question of how the EU can fine a U.S. based web site.
The short answer is that "EU regulators can fine U.S. companies for violating GDPR, and they can do it [only] with the help of U.S. authorities."
The odds of your local school or classroom web site being fined for an accidental violation of the GDPR? Pretty close to zero. But updating your site and policies to be GDPR compliant is not that hard and will make your parents feel better too.
This page is mainly aimed at people outside the EU who are trying to understand GDPR and its compliance.
When in doubt, check with your IT or legal department to see what policies are in place for your school.