Data protection law is changing on a global scale. Initiated in part by the General Data Protection Regulation (GDPR) in the EU, countries across the world have adapted, changed or brought in new legislation to align their data protection requirements with those of the EU. From Nigeria, with their in-draft ‘Data Protection Guidelines 2018,’ to the U.S. and California State law changing on the 1st January 2020, with the introduction of the ‘California Consumer Privacy Act of 2018’ (CCPA).
What is prevalent, is the wide variation in the understanding, interpretation and enforceability of the GDPR in countries and jurisdictions outside the EU, such as the individual states in the USA. Only this year, Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont, and Virginia have all passed laws varying or enhancing their data protection laws, mirroring some of the obligations of the GDPR.
Schools, particularly those not in the EU, face a challenge to determine whether the GDPR will change data protection law in their country / state of residence. Schools also face a conflict over understanding how local laws might change to accommodate the GDPR, and if so, what mitigating actions are also required given the additional obligations reflected in the GDPR.
Transferring Personal Data to an Organisation Out of Country or State
The GDPR and most other non-EU local interpretations require organisations to have protections in place when sending or receiving personal data, regardless of the sender or recipient’s location. For schools sharing information with another school or organisation in the EU, this can be achieved through signing a contract which includes the relevant data protection terms, or through the signing of a data sharing agreement. Many schools, regardless of location, use cloud based systems which can be located anywhere in the world. Where this is the case the GDPR, and the majority of other lawful interpretations, obligate schools to ensure there are adequate protections in place when transferring personal data to an organisation or cloud based system in a third country outside the country / state from where it was originally collected, or processed.
For schools to continue sharing personal information where these obligations exist (e.g a student transferring from one school in one country / state to another), data sharing agreements or similar should be in place. These agreements place obligations on the school with the lowest level of national / state data protection law to accept the obligations of handling personal data they have received to the same standard as the school from which the personal data has been sent. A non-EU based school receiving data from an EU-based school would be agreeing to a number of the obligations of the GDPR by proxy, even though the laws may not be in place in their own jurisdiction. It should be noted that there are significant questions over the practicalities of enforcing the obligations of data sharing agreements across legislative borders.
Likewise, to be compliant with the law, businesses and not-for-profit organisations have amended their terms of business and contracts, placing contractual obligations on those they do business with to comply with changes in data protection law. It is therefore likely schools in most countries / states will, by virtue of contract law, have agreed to more stringent obligations on how they process data, but may not necessarily have recognised that this is the case.
What is the Impact?
The changes to data protection law for non-EU schools is evidently clear. The impact will be felt through the international transfer of data between organisations, the inclusion of clauses within service which obligate both parties, and the adoption by multinational businesses of standard data protection terms which follow the principles of the GDPR for all jurisdictions, including those not in the EU. For schools in the USA, the changing nature of data protection law will be felt through the ripple-effect of the GDPR and changing state law, such as that in California and other states.
What You Should Not Do
You should not assume that changes to data protection law, such as with the GDPR, do not and will not have an impact on your school. The transparent and wide-reaching nature of the regulation dictates that organisations need to be methodical to understand how and where they are affected. The obligations placed on your school will become clearer over time. For schools, this will materialise through suppliers and cloud system vendors updating contract terms, or other schools refusing to share personal data with you unless your school agrees to a data sharing agreement (where you are confirming your school handles data in compliance with whichever party has the higher data protection law).
How Should We be Preparing for Changes to Data Protection Law?
There are three components for compliance; Governance, Data Protection and Information / Cyber security. Concurrent within each of these is the principle of ‘accountability’. This means organisations need to be able to evidence, with metrics, their level of confidence in compliance with data protection law. 9ine’s Data Protection Governance Toolkit is designed to manage the obligations of the GDPR, and covers the primary areas of requirement for all jurisdictions. With input from schools across the world, the Toolkit is an efficient mechanism to support documentation and evaluate what your school needs to do.
An ability to assess information and cyber security risks is critical for compliance with almost all variations of data protection law. In practice, this means school leadership understanding how secure their IT systems and services are, how vulnerable they are to a cyber breach, and how susceptible the staff are to attacks, such as phishing campaigns. Having launched our school-specific Cyber Defense service, 9ine’s cyber team are supporting schools across the world to secure and effectively test their IT environments.
What’s on the Horizon
Legislation is changing across the world to accommodate the GDPR. Some countries are enforcing the regulation word for word, whilst others are being less specific but still implementing the core principles. What is clear, is that organisations in countries where data protection is weak will have to, by virtue of other means such as data sharing agreements and contracts, still comply.
Within the EU, there is a new kid on the block whose reach is wider - the E-Privacy Regulation. This will apply to any organisation with a website which enforces cookies on individuals who reside in the EU / EEA, or undertakes digital marketing to people residing in the EU / EEA. Significantly, if you are a school in the USA, and an employee travels to the EU on business and visits the school website, as they will be in the EU the E-Privacy Regulation will apply. If the GDPR doesn’t somehow apply to you, the E-Privacy Regulation most likely will.
Kickstart Your Compliance - 9ine's Free Consultancy Call
To understand how to assess your current compliance with data protection law, how to determine the technical risks of a data protection breach, and how to report to your board; book a meeting with a member of our team below.
If you have any concerns about supporting the data protection and cyber security obligations in your school, or have any questions about our services, please contact us.