The GDPR and Higher Education #2: Universities as Data Controllers & Data Processors
As we discussed in our first blog post framing the impact of the European Union’s General Data Protection Regulation (“GDPR”) on higher education, there are a number of key GDPR provisions that higher education institutions should be aware of when contemplating GDPR compliance. This second blog post will focus on data controllers and data processors, key definitions and roles under the GDPR.
Data controllers are entities that “determine the purposes and means of the processing of personal data.” Art. 4(7). Processing is further defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” Art. 4(2).
A university, as the entity who is either directly collecting the data from EU data subjects, for a variety of purposes including admissions, education, etc, or indirectly collecting data via third parties, falls under the definition of a data controller. As such, a university is liable for the actual data collection as well as any subsequent processing, storage - or anything else related to the data - regardless of whether the action is taken internally or externally.
Further, the GDPR requires data controllers to implement appropriate measures to ensure and be able to demonstrate compliance with the GDPR, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons.” Art.24 (1). These “appropriate measures” include those that are “designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing” to meet the GDPR’s requirements. Art. 25(1). These measures also must include “by default” mechanisms to ensure that “only personal data which [is] necessary for each specific purpose of the processing are processed.” Art. 25(2).
The GDPR recognizes that there are instances where “joint controllers” of data exist; i.e., “where two or more controllers jointly determine the purposes and means of processing.” Art. 26(1). To the extent that there are “joint controllers”, each shall determine, “in a transparent manner” their respective responsibilities and make any arrangement available to the data subject. Art. 26 (1 - 2). Regardless of any arrangement between joint controllers, a data subject may assert her rights under the GDPR against either controller. Art. 26(3).
A data processor is defined under the GDPR as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Art. 4(8). Processors are required to enter into a contract or other legal arrangement “that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” Art. 28(3).
Liability under the GDPR flows to all parties in the “chain of data”: data controllers and data processors are both liable for non-compliance. As such, the selection of data processors under the GDPR is very important. The GDPR expressly requires data controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Art. 28(1). Liability for compliance with the GDPR is also placed on data processors when engaging other third parties to carry out data processing activities on its behalf. Art. 28(4). Therefore, the data controller and data processor must conduct sufficient GDPR due diligence to ensure that any current and future third-party processors are in conformity with the GDPR and its requirements.
Designating a EU Representative
It is important to note that both controllers and processors not established in the EU must designate in writing a representative in the EU. Art. 27(1). The representative must have the ability “to be addressed . . . on all issues related to processing” to ensure compliance with the GDPR. Art. 27(3).
Records of Processing Activities
Finally, the heavy requirements of record keeping (Art. 30) implicate all facets of data collection and processing, requiring significant technological modifications and constant monitoring by the data controller. Examples of these records’ requirements include maintaining records of all processing activities and categories of data processed (Art. 30(1-2)) and Data Impact Assessments, required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Art. 35(1)).
So what does this mean to US-based institutions of higher education? As both data controllers and data processors, US-based universities must conduct sufficient due diligence to ensure that every entity that “touches” the data is compliant with the GDPR. Further, the university should maintain a clear understanding -- and documentation -- of its role in any data transaction: is it the data controller, the data processor, a joint-controller? These roles will dictate the responsibilities and liabilities of the university, and help it to understand its full obligations under the GDPR.
* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.