Why Higher Education Institutions Must Comply with GDPR

The EU General Data Protection Regulation (GDPR) has been in effect for 10 months. One sector that has been affected by the newly enforced regulation, but is not always in the spotlight, is higher education.  Although, many institutions have no physical presence within the EU they are affected by GDPR since they have relationships with individuals located within the EU, which requires them to be complaint.

How are U.S. colleges and universities and their students affected by GDPR?

More and more universities are providing study abroad opportunities to their students, faculty and staff travel to the EU, and an increasing number of international students attend U.S. institutions. For these reasons alone, being GDPR compliant is a requirement.  Not all U.S. institutions may have a stable arrangement in the European Union, such as a campus or study center; however, these universities will not be exempt from the GDPR regulations. 

Personal data collected by higher education institutions requires GDPR compliance.

Personal data currently collected by higher education institutions includes name and birthdate, as well as some or all of the following identifying attributes: ethnic origin, political or religious beliefs, genetic data, biometric data, sexual preference or orientation, health information and IP addresses.  There are many scenarios involving individuals that require higher education institutions to become GDPR complaint. Some examples:

  • students in a study abroad program in an EU member state;
  • international students applying at U.S. higher education institutions;
  • EU faculty and staff working at a U.S. higher education institution;
  • alumni or donors located with an EU member state; and
  • A U.S. citizen who is a student of a U.S. higher education institution traveling in the EU.

What should U.S. higher education institutions do?

Institutions should work with their legal department in identifying the GDPR lawful basis for data collection, processing, and storing of GDPR pertinent information, and provide appropriate information and notice to all of their data subjects. 

The following compliance initiatives should be addressed by U.S. higher education institutions to ensure GDPR compliance: 

  • revise privacy policies;
  • gain consent from data subjects;
  • ensure protection and encryption of personal data;
  • perform a Data Protection Impact Analysis;
  • review and establish procedures around protecting data;
  • provide continuing awareness and education around GDPR for all faculty, staff and students; and
  • implement a data breach procedure that allows for immediate notice to a Supervisory Authority if a breach occurs. 

Any student that is studying abroad, and any faculty or staff working in an EU member state should be educated and aware of the greater protection provided to them regarding their personal data while outside of the U.S. 

Subject access requests are a major component within GDPR, and U.S. higher education institutions must be very careful and validate the data subject prior to supplying or deleting any student, faculty or staff information, to ensure that the request or submission of information is legitimate.    

How has GDPR affected U.S. higher education institutions so far?

Since being enforced in May 2018, GDPR has seen some cases in the EU involving U.S. higher education institutions, but none of these have led to court litigation at this time.  Some of these cases include:

  • U.S. students traveling in the EU on study abroad programs withdrawing their consent to the institution’s use of their data once they arrive in the EU;
  • local employees of U.S. institutions claiming data breach and unlawful data transfer to the U.S.; and
  • U.S. donors living in the EU reporting that their personal information has been given to U.S. financial institutions without proper consent. 

Even though none of these issues have reached the point of litigation or fine, U.S. higher education institutions must consider compliance with the GDPR with the same urgency as any other U.S. based organization.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Benefits of a Trusted Co-Source Audit Partner During the Great Resignation
Business Continuity and Disaster Recovery Planning
What Should a Service Organization Consider When Determining Its SOC Report Testing Period?
Lincoln College Closes Due to Ransomware Attack
Benefits of a Contract Lifecycle Management System
Changes in Athletics with the New NCAA Constitution Approval
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.