In our last blog post, we looked at how the informed-consent clause of the General Data Protection Regulation (GDPR) affects IT and software-licensing staff at academic institutions in the EU. This aspect of the law makes it challenging for these staff to offer cloud-based software to students by effectively forbidding the most efficient baked-in way to create user accounts in bulk.
But this is just one of many ways in which the GDPR affects organizations within its jurisdiction. The GDPR is a sweeping piece of legislation, containing many other clauses that can complicate how schools handle the private data of their students, staff, and faculty.
Here’s a high-level overview of some of the many other requirements for GDPR compliance that schools operating in the EU need to keep in mind.
The Right to Erasure
Also known as the Right to Be Forgotten, Article 17 of the GDPR gives individuals the right to have their personal data deleted by any organization that possesses it. The individual need simply contact the organization and request to have their data deleted, and the organization must do so “without undue delay.”
It’s worth noting that this is not a cut-and-dry clause. Article 17.3 outlines a number of scenarios in which the right to erasure would not apply, such as if maintaining the individual’s data is necessary for compliance with a legal obligation or for certain reasons of public interest. This nuance makes it all the more important for both schools and students to have a detailed, not just cursory, understanding of the law.
The Right of Access
Article 15 of the GDPR grants individuals the right to confirm whether an organization has collected any personal data about them. Where an organization has collected such data, the individual also has the right to view what data they have.
This can include the individual’s school as well as any third parties their school has partnered with to provide services. If such a partner is based outside the EU, the individual can also request details as to the process by which their data was passed to that partner. If the individual would like multiple copies of the data that’s been collected, the organization may charge a “reasonable fee” to offset the administrative work involved in providing them.
The Right to Rectification
In essence, article 16 of the GDPR is intended to prevent incorrect information from being gathered and circulated. To this end, it gives individuals the right to have any inaccurate data about them corrected by the organization that gathered that data.
In addition to fixing factual inaccuracies, this article empowers individuals to have incomplete data about them completed by the organization(s) that possess the data in question. As in many cases with the GDPR, organizations are obligated to act “without undue delay” upon receiving such a request, rather than within a specific timeframe.
The Rights to Restrict and Object
Article 18 of the GDPR grants individuals the right to restrict the processing of any personal data an organization has collected about them. More broadly, article 21 grants everyone the right to object to the processing of their personal data altogether in certain scenarios.
As with the right to erasure, these are not a hard and fast rights. Individuals can only have the processing of their data restricted under specific grounds, such as if the processing is unlawful or there are inaccuracies in the data. To successfully object under article 21, an individual must demonstrate that the processing fails to meet certain requirements laid out in a separate article of the legislation (article 6). Again: it’s important for schools and students to know their rights and obligations under the GDPR in detail rather than just in general.