**This blog post is not legal advice, nor is it a substitute for legal advice.**

The acronym GDPR has been floating around for a while now like an ominous cloud over any school that hosts international students from Europe. But, what exactly is the GDPR? It is the General Data Protection Regulation (GDPR) that will go into effect May 25th, 2018. It is a new data privacy law that provides EU citizens with more protection and accessibility to their personal information, and will force schools to be transparent about how they manage private student information.

So what does this have to do with schools in the US? Every school that hosts international students from the EU must comply with this new regulation. It is the responsibility of the school to ensure that any personal information received regarding an EU citizen is collected and stored securely. The only people who should have access to that information are the individuals the information pertains to, and the school admins that need to access it in order to do their job. For example, a school nurse needs to be able to view Johnny Smith’s complete health history, but the parent chaperoning next week’s class field trip might only need to see what Johnny is allergic to, and who to call in the event of an emergency.

It is the responsibility of the school to ensure that all personal information received from an EU citizen:

• Is stored securely.
• Can be easily accessed by the individual (parent/guardian).
• Can be corrected or erased as needed.
• Is not shared without permission and can’t be accessed by unauthorized individuals.

Security
Because schools are a common target for security breaches, it is vital for schools to have a detailed security protocol in place. Following the set security processes that have been successfully implemented ensures that human error will not be the cause of a PHI leak or threat. Security is a process. It starts with identifying the sensitive information data set, it’s location, who should be authorized to access it, and how to best secure it based on the known threats. Security policies document these details and provide school staff with guidance on how to protect that private information.

The purpose of the GDPR is to ensure EU citizens that their health information will be protected no matter where in the world that information is sent. This means that they have the right to know how their information is being used and by whom. Schools hosting EU students must be able to provide that information or they will be in violation of the privacy law. Depending on the type of violation, schools will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).

Accessibility
An electronic Student Health Record (SHR) solution like Magnus Health, helps schools provide parents and guardians with SSO password-protected access to their student’s Magnus account so they can upload, edit, and delete personal health information as needed. When everything is kept on one online platform, parents and students can access their information from any mobile ‘smart’ device.

Amendments
One of the core aspects of the GDPR regulation states that schools must provide a way for their international students to make changes to their private information. So it is vital to have a plan in place that would streamline this process. Simple online form submission saves staff time while automated email reminders keep parents and students up-to-date on approaching deadlines. With an online record account, when a student needs a new medication or develops a new allergy, that information can quickly and easily be updated.

Permissions
With SHR features like Role Permissions, schools can decide the level of accessibility their staff has to private student information. With the click of a button, a school can greatly reduce liability risks and still provide the right people with the information they need to do their jobs.

Adhering to this new regulation is not up to just one department in a school, it takes a village. Depending on how the school is set up, a Data Controller can be anyone from an Office Admin to the school Nurse. This person has to be able to securely collect and manage incoming student records while maintaining efficient contact internally with other departments, and also externally with parents and guardians.

**This blog post is not legal advice, nor is it a substitute for legal advice.**

Looking for a 3rd party vendor to help manage your data? To learn what questions you should ask and discover what they should be doing to keep your data secure, please read our Vendor Accreditation and Why It Matters to Schools blog!