The AACSB International (“AACSB”), a global entity providing accreditation services for clients in the global market, is committed to the data protection of our members. The General Data Protection Regulation (“GDPR”) went into effect in the European Union (“EU”) on May 25, 2018. The regulation imposes broad data privacy protections for EU individuals and applies to companies that collects or handles EU personal data. As a result, the GDPR impacts nearly all organizations doing business in the EU.
While the regulation identifies some new privacy concepts, much of the foundation has already been established at AACSB through existing compliance activities that ensure alignment with our internal compliance standards, and other laws and industry best practices. AACSB will align relevant practices with the GDPR in the delivery of our member services. The responsible handling and security of member data is of the highest priority for AACSB.
Current State Activities
As a professional association, AACSB is here to serve its members in an effective and responsible way. To address the unique requirements of the GDPR, AACSB partnered with an outside privacy consultancy firm to identify areas that may need to be enhanced to further align with the GDPR. With the guidance of these experts, AACSB is actively working on further enhancing its current compliance program to further alignment with GDPR. The key GDPR related activities underway at AACSB include:
- Enhancing notices to ensure additional transparency is provided to members on the types of data collected and uses of the data;
- Reviewing and updating agreements with our members and third parties with whom we may share personal data, ensuring their commitment to data protection; and
- Creating new artifacts and documentation to support our alignment to the various requirements of the GDPR as best practices
Key Changes Under the GDPR
Individuals have the right to:
- Access their personal data
- Have errors in their personal data corrected
- Have their personal data erased
- Object to the processing of their personal data
- Receive an export of their personal data
Controls and Notifications
Organizations will need to:
- Protect personal data using appropriate security measures
- Notify authorities of any personal data breaches within 72 hours of the data breach discovery
- Obtain appropriate and explicit consent for processing personal data
- Keep records detailing data processing activities
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
If you have any questions or concerns, please reach out to the AACSB team at [email protected] or your usual AACSB representative.
For more information and details regarding the GDPR, please visit the EU GDPR page.