The GDPR and Higher Education #2: Universities as Data Controllers & Data Processors

As we discussed in our first blog post framing the impact of the European Union’s General Data Protection Regulation (“GDPR”) on higher education, there are a number of key GDPR provisions that higher education institutions should be aware of when contemplating GDPR compliance.  This second blog post will focus on data controllers and data processors, key definitions and roles under the GDPR.

The Impact of the GDPR on Higher Education in the United States Blog Series

Colleges, universities, institutions of higher education– however you want to frame it — are organizations devoted to the development of academic subjects. They create environments ripe for intellectual exploration and the exchange of information. They provide a platform for individuals from across the globe to collaborate on ideas and develop the innovations of tomorrow. These institutions are a treasure-trove of data.  Inherent in the functioning of any higher-education organization is the free flow of ideas (i.e. data):  data related to the individual students, data related to studies conducted by these institutions, data related to research and development.  Basically, they are institutions of data.

A Funny Thing Happened on the Way to the Office

I try to make most of my blog posts about current legal issues in the area of cybersecurity and data privacy because so many businesses do not fully understand cybersecurity, how it works and what they can do to protect their company. As my law partner often says, cybersecurity is like pandora’s box and many companies do not want to open that box because they are scared and do not know what is inside.  However, this is not that kind of post. I am angry. And really, more than angry, I am upset. And why may you ask?? Simply because I received a telephone call. HUH???

Cybersecurity is Always a Good Investment IN M&A Transactions

Whether you are the target or the acquirer, cybersecurity is the number 1 issue in an M&A transaction. The reason? Money. If you are the target, failure to appropriately address cybersecurity can significantly devalue your company.  If you are an acquirer, failure to conduct appropriate cyber due diligence before the deal is signed can result in purchasing a liability instead of an asset.  No matter which side of the table you sit, cybersecurity should be top-of-mind.

Biometric Data under the GDPR

With the launch of the iPhone X, the debate around using biometric data as an authentication method has become mainstream.  To recap, the iPhone X is making thumbprint access to a mobile device a thing of the past:  now, all you need is your face (and, of course, the iPhone X).  While thumbprint access has become standard in most mobile devices, the use of facial recognition is new for most consumers.

Responding Elegantly and Deliberately

While at the recent Cybersecurity Awareness Summit at the Harrisburg University of Science and Technology, one of the speakers put a slide up that said basically; Firewalls, passwords, anti-virus software, and multifactor authentication → yesterday’s news. The point being that these are really the baseline.  The starting point.  The bare minimum of security.  

Breaching the Castle: Walls and a Moat are No Longer Enough

I cannot tell you how many times I hear people comment that their cybersecurity is “just fine” because they have firewalls and antivirus software. Cybersecurity effects all of us and simply having good firewalls and antivirus software is not enough. 

Sticking Your Head in the Sand: How NOT to Approach the GDPR

In speaking with entities, of all sizes and all industries, we are often confronted with the same series of questions over and over again regarding the EU’s General Data Protection Regulation (“GDPR”):  why do I need to comply?  Is the EU really going to enforce this?  What are the odds (as if we have a Magic 8-Ball) that the EU will actually sanction me?  That is in essence like saying: what are the odds I will be hit by a car?  I don’t know, but I still look both ways before crossing the street and I have insurance because I don’t want to risk it.  The doubters, the deniers, the wait-and-see’ers;  these are the entities that will get hit by the GDPR.  They hope that the GDPR will not be as extensive, or as intrusive, or as devastating as privacy experts are saying and while we don’t have a Magic 8-Ball, the response we give these naysayers is, “All signs point to Yes!”.

A Post-Equifax World: The Times They Are A Changin’

We now live in a post-Equifax world.  When we look back at this time in history, I truly believe that is how we will measure cybersecurity regulations.  How we approached cybersecurity pre-Equifax and how we approach cybersecurity post-Equifax.  There is no point in denying that the cyber-world has fundamentally shifted.  People who were paying little-to-no attention to cybersecurity are now running to their “tech guy” to find out what type of security their company employs. So what can we expect from this post-Equifax world, you may be asking?  Simply (and yet there is nothing simple about it), more regulations. 

Protecting Your Data In a Post-Equifax Breach World

Almost half of the country — approximately 143 million Americans — are asking what she or he can do in the wake of the Equifax breach.  How can I protect my identity?  What does this mean?  What additional steps can I take to make sure that I am protected?