Cybersecurity Series: GDPR and Higher Education Institutions

Why Read This Report

Few issues keep higher education executives awake at night more than data privacy. As the new European data protection law, the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018, higher education institutions must position themselves to mitigate risk and strengthen compliance efforts. This comprehensive and complex law covers all processing of personal data, not just data that could be considered private. With this report, The Tambellini Group addresses what higher education needs to understand about GDPR, including how it impacts higher education, and what steps need to be taken to be in compliance. In the fast-changing world of cybersecurity and information governance, this report will prepare institutions for this new era in data protection.

Key Questions Answered

• How will GDPR likely affect U.S. higher education institutions in relation to student, employment and research data?
• How does the scope of GDPR go beyond that of similar U.S. statutes such as the Family Educational Rights and Privacy Act (FERPA) or the Protection of Pupil Rights Amendment (PPRA)?
• What are the fines associated with breaches of the GDPR?
• What preparations should be taken to be compliance-ready by the time GDPR comes into effect?

Report Features

• Download complimentary Executive Summary.
• Author: Ann Kristin Glenster is an acknowledged global legal authority specializing in data privacy. She is deeply involved with the GDPR’s implications, and acts as a private consultant on issues related to GDPR and data protection.
• Co-Author: Katelyn Ilkani, VP, Cybersecurity Advisory Practice, The Tambellini Group.
• Peer Reviewers: Chad Tracy, Director of Information Security, Colby College and David Sherry, CISO, Princeton University.
• Report Length: 57 pages.
• Report Availability: August 2017.

Table of Contents

1. Acknowledgements
2. Terms of Use
3. Disclaimer
4. Executive Summary
5. Introduction
   1. GDPR as Part of the EU ‘Constitution’
   2. Uncertainty Regarding Interpretation and Enforcement
   3. Applicability to U.S. Higher Education Institutions
6. Territorial Reach and Cross-Border Transfer of Data
   1. Offer of Goods and Services, Monitoring of Behavior
   2. Representative in the EU
   3. Cross-border Transfer of Personal Data
   4. EU-U.S. Privacy Shield Mechanism
7. General GDPR Issues
   1. Processing
   2. Personal Data
   3. Special Category Data
   4. Legal Grounds for Processing
   5. Data Processing Principles
8. Issues of Academic Research
   1. Consent
   2. Safeguards and Pseudonymization
9. Specific GDPR Issues
   1. Specific Rights of the Individual
   2. Transparency and Notices
   3. Accountability and Risk Evaluation
10. Practical Matters
    1. Data Protection Officer (DPO)
    2. Main Establishment
    3. Certificates and Codes of Conduct
    4. Documentation
    5. Security
    6. Breach Notification
    7. Complaints, Compensation, and Penalties
    8. Administrative Fines
    9. Compliance Checklist
11. Conclusion
12. Bibliography
13. Appendixes
    1. Overview of the GDPR Articles
    2. Overview of Supervisory Authorities
    3. Short PowerPoint Summary
14. About the Authors
15. About The Tambellini Group
16. Other Available Reports