The European Union’s General Data Protection Regulation, the Clearinghouse, and Higher Education Institutions
On May 25, 2018, a new European Union (EU) regulation went into effect aimed at protecting personal data privacy – the General Data Protection Regulation (GDPR). The GDPR governs the use and disclosure of personal data, which is collected from individuals in the EU (“EU Data Subjects”), regardless of whether an EU Data Subject has a domicile in the EU or is a citizen of an EU country.
The GDPR is based on the European view that privacy is a fundamental right, and gives EU Data Subjects broad rights in and control over their personal data. This includes, for example, the right to:
- data portability;
- access and rectify personal data;
- consent to data uses except in certain circumstances; and
- be forgotten.
While the specific application of these rights to Clearinghouse services and data will depend on a number of factors, some of these rights may be available to an EU Data Subject whose data is held by the Clearinghouse.
GDPR and the Clearinghouse
Because the Clearinghouse is not established in the EU, does not offer its services directly to individuals in the EU, and does not monitor the behavior of EU Data Subjects, the Clearinghouse is not directly subject to the GDPR.
However, some of our educational and commercial partners are directly subject to the GDPR and, as such, are required to contractually obligate entities to comply with the GDPR’s requirements if they process on their behalf personal data collected from EU Data Subjects (“Processors”). Because the Clearinghouse may serve as a Processor for our partners, the Clearinghouse — through contracts with our partners that pass on such obligations — would be obligated to comply with certain GDPR requirements.
Resources for Institutions
The Clearinghouse has been actively working with AACRAO to develop guidance materials for educational institutions to ensure compliance with the GDPR, both as a general matter and with respect to the data services provided by the Clearinghouse.
AACRAO, the Clearinghouse and others in the higher education community produced Implications of the General Data Protection Regulation: An Interassociation Guide. This document is designed to generally assist institutions in preparing their response to the GDPR by providing background on the GDPR, an explanation of the GDPR’s provisions, a foundation for conducting a risk assessment, and sample exercises. You can find the document here.
Additionally, to support our institutional customers, we have developed a document explaining our collaborative approach to GDPR compliance. This document can be found on our website, here.
After reviewing these two documents, please direct any further questions you may have about the Clearinghouse’s compliance with the GDPR to firstname.lastname@example.org.
“The Clearinghouse has been actively working with AACRAO to develop guidance materials for educational institutions to ensure compliance with the GDPR”