Why Higher Education Institutions Must Comply with GDPR

The EU General Data Protection Regulation (GDPR) has been in effect for 10 months. One sector that has been affected by the newly enforced regulation, but is not always in the spotlight, is higher education.  Although, many institutions have no physical presence within the EU they are affected by GDPR since they have relationships with individuals located within the EU, which requires them to be complaint.

How are U.S. colleges and universities and their students affected by GDPR?

More and more universities are providing study abroad opportunities to their students, faculty and staff travel to the EU, and an increasing number of international students attend U.S. institutions. For these reasons alone, being GDPR compliant is a requirement.  Not all U.S. institutions may have a stable arrangement in the European Union, such as a campus or study center; however, these universities will not be exempt from the GDPR regulations. 

Personal data collected by higher education institutions requires GDPR compliance.

Personal data currently collected by higher education institutions includes name and birthdate, as well as some or all of the following identifying attributes: ethnic origin, political or religious beliefs, genetic data, biometric data, sexual preference or orientation, health information and IP addresses.  There are many scenarios involving individuals that require higher education institutions to become GDPR complaint. Some examples:

• students in a study abroad program in an EU member state;
• international students applying at U.S. higher education institutions;
• EU faculty and staff working at a U.S. higher education institution;
• alumni or donors located with an EU member state; and
• A U.S. citizen who is a student of a U.S. higher education institution traveling in the EU.

What should U.S. higher education institutions do?

Institutions should work with their legal department in identifying the GDPR lawful basis for data collection, processing, and storing of GDPR pertinent information, and provide appropriate information and notice to all of their data subjects. 

The following compliance initiatives should be addressed by U.S. higher education institutions to ensure GDPR compliance: 

• revise privacy policies;
• gain consent from data subjects;
• ensure protection and encryption of personal data;
• perform a Data Protection Impact Analysis;
• review and establish procedures around protecting data;
• provide continuing awareness and education around GDPR for all faculty, staff and students; and
• implement a data breach procedure that allows for immediate notice to a Supervisory Authority if a breach occurs. 

Any student that is studying abroad, and any faculty or staff working in an EU member state should be educated and aware of the greater protection provided to them regarding their personal data while outside of the U.S. 

Subject access requests are a major component within GDPR, and U.S. higher education institutions must be very careful and validate the data subject prior to supplying or deleting any student, faculty or staff information, to ensure that the request or submission of information is legitimate.    

How has GDPR affected U.S. higher education institutions so far?

Since being enforced in May 2018, GDPR has seen some cases in the EU involving U.S. higher education institutions, but none of these have led to court litigation at this time.  Some of these cases include:

• U.S. students traveling in the EU on study abroad programs withdrawing their consent to the institution’s use of their data once they arrive in the EU;
• local employees of U.S. institutions claiming data breach and unlawful data transfer to the U.S.; and
• U.S. donors living in the EU reporting that their personal information has been given to U.S. financial institutions without proper consent. 

Even though none of these issues have reached the point of litigation or fine, U.S. higher education institutions must consider compliance with the GDPR with the same urgency as any other U.S. based organization.