How many times in the past year has a campus recruiter collected information about a prospective student from the European Union (EU)? Or faculty received data about European research subjects? Or asked for a donation from an alumnus who married the Spaniard they met while studying abroad and now lives in Madrid as a European resident?
The chances are high your campus handles information like this, and more, about EU residents. Under the General Data Protection Regulation (GDPR), if your college has any information relating to an EU resident, institutional procedures and policies will need to change.
We’re here to help through that transition. EAB is currently working to create higher education-specific GDPR response benchmarks and develop tools that best meet compliance-related challenges.
What is GDPR?
GDPR increases personal data ownership by EU residents. This manifests as the ability to: access information about what data is being collected and why, to halt data processes, to limit the use of data beyond original purposes, and to require breach notification within 72 hours of discovery.
Rather than the typical approach of collecting a mountain of data and determining later how to analyze and use it, GDPR requires organizations to articulate a justification prior to data collection and processing.
The clock is ticking
On May 25, the EU will begin enforcement of GDPR. While many on campus are still unfamiliar with the acronym, let alone its impact, CIOs are already working to understand the implications of the regulation in higher education. GDPR expands data subject rights, emphasizes “privacy by design,” and was implemented as a deliberate expansion of jurisdiction to non-EU based organizations that process or control EU residents’ personal data.
Members of the campus community should be prepared to audit the data they collect about students and employees and to justify keeping that data—as well as create processes to delete it when they cannot demonstrate a rationale or at the request of EU residents. While the general counsel’s office should be the first stop for conversations about GDPR, socializing the rest of campus—including IT staff—is critical with a looming deadline.
How is GDPR going to impact higher education?
While GDPR only applies to EU residents, the disparate nature of data at most higher education institutions means that its reach is not limited to a single office or unit. Enrollment management and alumni relations will be most affected by these changes and will have the greatest need to work with IT staff to further compliance.
Ultimately, the question that each unit must answer is, “Can we, with certainty, identify all data we collect about EU residents and either justify its maintenance or delete the information on request?”
Of course, the impact of GDPR isn’t limited to these units—they’re just high-priority first stops on the road to compliance. Researchers may need to create new policies and procedures for data collection, analysis, and collaboration, and academic units that retain student data will also need to audit and justify their collection and processing.
Questions for enrollment management
The enrollment office casts the widest net for personal data, as enrollment managers capture information about prospective students—regardless of if they end up applying or not. If enrollment management doesn’t already identify what data they collect and ways they use each data point, they should work with IT to create processes to either justify retaining data for EU residents or delete data they cannot rationalize. Places to start this process may be information gathered by recruiters about students who do not apply to the institution or application data from students who are denied admission.
Questions for alumni relations
At the other end of the student lifecycle, alumni relations will need to make changes to business processes because of the longevity of the data they collect. Retaining information about former students is the bread and butter of alumni relations, but continuing to do so require additional permissions from data subjects under GDPR to use any information provided to the university beyond its initial purpose. If alumni relations doesn’t have ways to gain usage consent, they will need to put them in place. And by “consent,” GDPR is very specific that this cannot be a long form that a subject agrees to but never actually reads.
Does it really matter?
Evaluating risk requires campus leaders to consider the likelihood of an event occurring and the consequences if it does. A conversation weighing these factors should start with your general counsel’s office, as GDPR is clearly intended to have wide jurisdiction and to reach multinational organizations, including those based in the United States.
However, given the multitude of bigger fish to fry, it seems unlikely that higher education institutions will be caught in early enforcement efforts unless specifically targeted for complaints. An apt analogy may be the enforcement of the Americans with Disabilities Act, where select large, internationally recognized institutions have been pursued for non-compliance. In the case of GDPR, institutions with an especially large presence serving EU residents may be similarly high profile.
When assessing the consequences for non-compliance, the penalties associated with GDPR non-compliance are significant: either 20 million euros or four percent of total revenue, whichever is larger.
What are the baby steps towards GDPR compliance?
Since the new protections enacted by GDPR are data-focused, most campuses should start focusing on compliance around data discovery, management processes, and policies. Luckily, many of the recommended actions for GDPR compliance are priorities for anyone concerned with data governance and ethics. Working against the GDPR deadline can provide a sense of urgency to enact related best practices.
After a conversation with the general counsel’s office, the second step is to conduct a data audit to identify what data they currently collect from and about EU residents.
From systems of record to Excel spreadsheets saved on desktops, each unit, with support from IT, must locate the person data that it collects and processes.This is a daunting task, but models to kick start the process exist, such as the Higher Education Data Reference Model developed by the Council of Australian University Directors of Information Technology (CAUDIT).
This blueprint outlines the data collection mechanisms and specific data points within the student lifecycle that an institution may assemble, in addition to the data that supporting business units may gather. Rather than going to a business unit and asking them about student or employee data without context, approaching them with this model in hand will give structure to the conversation and jog their memory for overlooked data to audit.
Once an audit is complete, each business or academic unit needs to evaluate the purpose of each data point they collect and process, as to prepare to articulate its value in furthering institutional mission. IT can provide a template they can use to articulate the education or research-oriented case for the data they are collecting and analyzing. The IT team may also be tasked to provide training on how to complete justification forms, in conjunction with representatives from the compliance or risk management teams on campus.
Offering mission-related rationale for data collection and processing is not enough–EU residents must also give consent for their information to be processed in specific ways. And while the text of GDPR doesn’t model this, they must also articulate the purpose of data collection and application in layman’s terms that the resident can understand.
Data access, integrity, and deletion processes
Finally for this blog post, but certainly not a final step on most campuses for GDPR compliance, business units need to put in place processes that allow EU residents to access their data in a format they can understand, to revise it to ensure accuracy, to limit its application (especially in the context of direct marketing), and to request its deletion.
If the data is already located and tracked through the auditing process, adding a service in the IT catalog or a ticket type in a service management system should allow EU residents to request information about their data or changes to it. But it also poses an opportunity for campus to have a broader conversation about the data lifecycle and whether units should develop processes around data deletion to improve overall data hygiene at the institution.
A close reading of GDPR will reveal a multitude of other questions: Do we need to appoint a data protection officer? Do we have processes in place to notify EU residents of a data breach within 72 hours of discovery? Are the vendors we share data with also compliant? How are we moving data across international borders? How are we tracking EU residents to whom these regulations will apply?
For those on the path to compliance, these question are undoubtedly under discussion in conference rooms across campus. But if you’re having trouble getting those conversations started, forward this blog and get those meetings on the calendar today.