It has been nearly three months since the General Data Protection Regulation (GDPR) has gone into effect, its impact has been varied among corporations, small businesses, higher education and other organizations. Larger organizations have spent a significant amount of resources, effort and money in order to comply with the regulations prior to the enforcement date, while others have taken the approach that they are too small and are not worried about their organization being targeted or the regulation being enforced against them. One sector that GDPR could affect across the entire United States is higher education.
How Will GDPR Affect Higher Education?
GDPR defines three basic roles in data transactions: the data subject (person the data is related to); the data controller (dictates what is done with the data); and the data processor. A higher education institution (institution) in all likelihood are controllers as it relates to its human resources and student data. It also could be a data processor, for instance, if it has a partnership through its study-abroad program. GDPR also places an emphasis on understanding and documenting what third-party data vendors have access to and what they are doing with it.
GDPR also explains rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing.
Institutions typically have three different categories of data most likely to be impacted by GDPR. The first bucket consists of students who are EU citizens coming to an institution in the United States or attending the institution's locations abroad. Any data you collect on those students, from name to disability status or grades, will be considered personal data.
Another bucket is human resources data. People who work at U.S. universities may be EU citizens, or if an institution has operations abroad, it is likely to have a number of EU employees.
The third major bucket involves admissions and recruiting. Under GDPR, if a student doesn't apply to your institution but has some interaction with your website, or has admissions interaction with you, then that data will also be impacted. It won't be as robust or sensitive as the data you have on your actual students, but a potential student is going to provide you some personal data that is going to have to be protected. GDPR is about making sure institutions are doing what is needed to protect the privacy of data and validating that the controls they have implemented are effective through documentation and governance.
The new rules require institutions to take extra steps to protect the personal information of people in the EU, regardless of whether they are EU citizens or permanent residents. So the requirements would also apply to American students or faculty members who communicate with campuses while they are in the EU.
Institutions that have campuses abroad or have faculty traveling abroad and using their work email will now be subject to the GDPR regulations. Institutions that are online-only will now need to start protecting their personal data specific to EU citizens, since anyone is able to enroll at these online schools. Enrollment management will now be required to collect only the information it needs to enroll students at its institutions and only retain the data it as necessary. It is going to be difficult for higher education institutions to determine when they should start purging data and how they will conform to the “right to be forgotten” for alumni, students, faculty or possibly recruits who want their information to be purged from the institution’s systems. GDPR is going to make business as usual for higher education a little bit more complex.
What Are the First Steps to Take?
Now that higher education needs to start thinking about becoming compliant with GDPR, what are the first steps to be taken to help reach that goal?
Data Audit: Complete an audit of all of the institution’s current data to determine what is currently stored on alumni, students, faculty, staff, applicants and applicants’ families. The institution needs to know what kind of personal data it holds as well as where this personal data is being stored (locally, servers, cloud, etc). This would include reviewing who has access to the data, ensure that proper permissions are configured for each department to access only what is required of their responsibilities and what specific personal data is being collected and stored (name, address, phone number, emails, financials, guardian’s personal data, etc).
Data Justification: Determine the justification to store and retain the current data. The institution will need to go through the current data it has and determine what the justification is to store this data and try and determine what is required and what can be purged.
Consent: Active consent is now required and must be documented for the institution, prior to collecting and processing personal data from data subjects. Active consent must be collected prior to collecting and processing any new enrollment data from data subjects. Active consent is also required to continue sending newsletters, marketing, nonbusiness-related communications to any data subject that is associated with the institution. Data subjects must have a way to revoke their active consent from the institution.
Data Access, Integrity and Deletion Process:The biggest challenge for intuitions to incorporate is the ability to give their alumni, students, faculty, staff and applicants the proper access to their own personal data. EU citizens must be able to request their data in a readable format from the institution, and this must be completed within 30 days. Some organizations have implemented electronic ways to comply with this, while others need to manually collect and provide the personal data. EU citizens must have the ability to update data or request that data be updated and have the ability to limit what their data is used for. The biggest hurdle at this time is the ability to allow EU citizens to have “the right to be forgotten” and how an institution will be able to fulfill this request for data to be purged in all of its systems within 30 days.
Unfortunately, these are not the only things that need to be completed to become compliant, but completing these would be a great start for any higher education institution or any organization to become compliant with GDPR.
If you have any questions related to your organization’s compliance with GDPR, please contact Eric Wright at 412-697-5328 or [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.