Related Practices

Related Industries

Data Privacy and Security & Education Law Alert: Ready for the GDPR? New European Privacy Law to Impact U.S. Schools and Universities

March 27, 2018

Leaders of schools, colleges, and universities that attract students from Europe should be aware of the new comprehensive data privacy and security regulation, known as the General Data Protection Regulation or "GDPR", which takes effect May 25, 2018. The regulation reaches beyond the European Union to any entity that obtains or receives the personal data of individuals within the European Economic Area ("data subjects") in connection with offering them goods or services (whether for profit or not) or monitoring their behavior (including online).

The GDPR requires organizations to take documented action to protect the privacy and security of EU data subjects' personal data. Some core compliance considerations for processing EU student data include:

  • Informed Consent or Other Legal Basis
  • Written Privacy and Security Policies
  • 72-hour Breach Notification
  • Rights to Access and Correct, to be Forgotten, to Data Portability
  • Privacy by Design
  • Vendor/Third Party Contracts
  • Data Protection Impact Assessment
  • Appointment of a Data Protection Officer and/or EU Representative
  • Public and private enforcement mechanisms and penalties for non-compliance of up to the greater of 4% of the organization's worldwide revenue or €20 million

For more information on GDPR compliance, or other data privacy and security issues, please contact:

Sherwin M. Yoder
(203) 784-3107;

Jennifer A. Calcagni
(203) 575-2648;

Damian K. Gunningsmith
(203) 784-3185;

For information on school and education law issues, please contact:

Susan L. Henebry
(203) 578-4266; shenebry@carmodylaw,com

Giovanna Tiberii Weller
(203) 575-2651;

Ann H. Zucker
(203) 252-2652;