Digitalisation poses a new challenge to the right to privacy: the more personal data is digitally available and thus easily shareable, the more the fundamental right to privacy comes under stress. The European Union responded to this through a directive, the General Data Protection Regulation (GDPR), to ensure that individual rights were protected and that businesses had clear rules regarding their use of personal data so that privacy was respected and data minimisation incorporated by design. This directive is valid in the European Union and the European Economic Area.
The directive sets conditions on the gathering and storing of personal data so that this is done only when and for as long as necessary. It also aims to ensure that individuals are well informed about their rights and able to give and withdraw consent to those gathering or storing data. As a directive, GDPR is not a law that is applied immediately across the EU; rather, it sets the framework for individual national laws that implement its principles.
Compliance
To be compliant, it is important to define levels of responsibility, for example, who has the overall responsibility within the institutions, or who is responsible for the practical implementation. There will be several persons responsible at different levels of the university. Clear information to all stakeholders within a university is important, as students writing an assignment will have different needs than, for example, administrators working with data on alumni.
The challenge to comply with GDPR has led to doubts—for example about what digital tools, from cloud services to word processers, are compliant—which has had a dampening effect on the digital transformation within some institutions. It is not clear how many edtech or large technology providers, particularly non-EU providers, comply with GDPR. This can lead to a grey zone of partial compliance on the part of the university, where an institution or staff member chooses to use a digital tool, without being certain how the provider gathers data. Some use the argument of GDPR compliance for developing their own tools, where GDPR compliance is built in from the beginning.
International cooperation
Another issue with GDPR is international cooperation. Before data sharing with non-EU partners is possible, the European Commission has to make an adequacy decision deeming the privacy rules in a specific country sufficient for EU parties to share data. If there is no adequacy decision, data sharing is still possible, but it requires more safeguards.
See also European digital regulation and Regulatory framework
Resources and good practice
Good practices for personal data
Good practice guide for dealing with personal data by Belgian francophone universities
Privacy regulation, Oldenburg
Privacy regulation at the Carl von Ossietzky Universität Oldenburg
Guidance for dealing with personal data, University of Rostock
Step-by-step guidance for dealing with personal data, University of Rostock
UiO privacy resources for staff
Privacy resources for staff at the University of Oslo, Norway
More