On July 25th at noon, a group of entrepreneurs and education professionals from organizations like TeachersConnect, ListenWise, and AdmitHub gathered in the café room at LearnLaunch. They came with their sandwiches and their salads, but they also came with questions about the EU’s new General Data Privacy Regulations, which threatened to affect organizations around the world that controlled or processed personal data.

“What is needed for a survey to be GDPR compliant?”

“How does GDPR affect AI?”

“How to handle student data that we share with universities?”

These are just a few of the notes that attendees submitted in advance of the session. The general mood was perhaps best reflected by a question from one edtech startup CTO: “What the hell is going on?”

Matt Johnson, an attorney in Cooley LLP’s Education, Education Technology, and Privacy & Data Security practice groups, took the lectern to lead us through a detailed introduction to the new rules. One of the chief concerns that many Americans had with GDPR was the lack of clarity around who was responsible for complying. For example, if a French tourist visits Boston and emails a restaurant requesting a reservation, is that restaurant now required to comply with GDPR in storing that email? (If you think I’m being apocryphal, the Wall Street Journal begs to differ.)

Johnson did his best to allay our fears.

“There is no need to appoint an EU Representative if your processing of personal data is occasional, small-scale and does not involve sensitive personal data.”

Still, the regulatory concerns for technology companies, especially those dealing with data from minors or international users, are very real and require thoughtful work to address. Johnson covered key terms and concepts in the new regulations, jurisdiction, new individual rights, and specific considerations for edtech companies, before moving to a discussion of possible enforcement measures. He then took us through a three-phase project plan to work toward GDPR compliance.

After the presentation and a lively Q&A, the audience slowly filtered out, stopping to chat with friends and old colleagues. Johnson stayed to answer a few final questions before heading back to his own office.

The truth of the matter is that there is no hard-and-fast certification for being GDPR compliant. Individual countries in the EU have the authority to interpret the rules as they see fit, so the most important advice (and the last item in Johnson’s project plan) is to stay current. We’ll be watching carefully to see when and how the rules are enforced over the coming months, even as we prepare for the rollout of California’s Consumer Data Privacy Act of 2018, which comes into force in 2020.

Until then, watch the LearnLaunch events calendar for more opportunities to stay up on the latest in legal, marketing, research, and more for the education sector.

—

Want to learn more about GDPR for EdTech? The complete slides and video from this session are available at http://learnlaunch.org/gdpr-for-edtech/!