GDPR Part One: The Basics for Universities
May 18, 2018
It’s the final countdown. One week before GDPR goes into effect worldwide. And to cover this sweeping legislation, our team is planning on releasing a series of three posts to provide meaningful details and dialogue to help universities prepare for the regulation.
Here in our first post, I will discuss the scope of GDPR and what universities need to focus on to ensure initial compliance. In my subsequent posts, I will discuss some of the ambiguous language in the regulation that has already led to some inconsistent interpretations, and finally what our team has done to prepare for GDPR.
This post will cover GDPR implications for US universities at a high level, and is intended for general faculty and administrators. For those working in data security, legal affairs, or student privacy, I encourage you to also examine the work of teams like the Working Group at AACRAO, who have completed more comprehensive assessments accessible here AACRAO. We have several additional resources listed below.
To begin, let’s discuss several key questions regarding GDPR:
What is GDPR:
The General Data Protection Regulation is sweeping data privacy legislation that was passed by the European Union in 2016 and goes into effect on May 25th. It protects the data of all EU Citizens, regardless of where they are currently located. It has regulatory teeth across borders (anywhere an EU Citizen may be generating a digital footprint) and tends to promote one concept: Data Privacy is a Human Right (as opposed to a Consumer Right).
Who does the GDPR affect:
You… probably. Most universities (considered ‘data controllers’) in the United States will be subject to some GDPR oversight. Adhering to the strictest interpretations of the law, answering yes to any of these questions will confirm that you are under the consideration of GDPR in some capacity:
- Does your institution have EU students or applicants?
- Are your employees from EU countries?
- Do you market to EU students?
- Do you have students studying abroad in EU countries?
- Are your donors from the EU?
- Do you have research grants from the EU?
While this list probably applies to every institution in the country to some capacity, that’s not to say that all institutions have the same risk of non-compliance. In fact, some data processors like Blackboard have come out and publicly said “To be considered ‘offering services’ requires some degree of targeting [targeted marketing]. The mere fact that EU students are enrolled is not sufficient.” That interpretation may be valid, but as of this point has not been confirmed by any governing bodies, and the Higher Ed community has not reached a consensus.
In addition to universities, all vendors who handle personal data on behalf of the university are considered “data processors” and are also subject to the regulations.
How do institutions achieve compliance?
While an entire book could be written on this question, I will briefly touch three areas I believe universities should focus:
People and culture
GDPR compliance is as much a change of culture as it is a change of policy. It begins with taking data privacy seriously as an institution, and getting organized around data privacy and security. From the top down, universities (as well as most companies in the world) will need to create a culture of responsible and ethical data management, which will include significant documentation and accountability.
While there will certainly be many contributors to GDPR compliance, the regulation specifically calls for a new role of a Data Protection Officer who should be primarily accountable for compliance at the institution. At universities, I expect this role will be adopted by CISOs, Legal Counsels, IT Professionals, and Chief Privacy Officers (when available).
Process and policies
GDPR specifically calls out several key concepts that universities must apply to data collected on EU citizens. I have selected what I consider to be five of the most relevant Articles to highlight how they could affect university processes and policies.
Processing of Personal Information – To be legally allowed to process an EU citizen’s personal data, universities will be required to meet certain requirements of consent or purpose. Under GDPR, what constitutes personal information is very broad (almost all data related to a student will fall under this category), so this potentially has large ramifications for the school. However, since these requirements are ambiguous, I’ll discuss them in more detail in our next post.
Transparency – Individuals should be provided notice of what information is being processed, and this should be expressed in a clear manner. The most obvious interpretation of that is that privacy policies must exist, and they must be comprehensible for students.
The right to be forgotten – For data that is not critical to the university’s operations, EU citizens should be allowed to request that their data is deleted. Once again, there are conditions, and this should not be interpreted as students can ask for grades to be forgotten.
Privacy by design – Another important core concept of GDPR, the regulation states that personal privacy should be considered in the design of all systems and processes.
Sensitive and personal data – GDPR broadens the definition of personal data in the U.S. to any data that can be used to identify a person. Specifically, things like Student IDs and IP addresses become personal data. It also defines sensitive data, which among other things includes any health, religious, and racial data the university might possess. The implications here are that some systems that would have been out of scope (such as a website that doesn’t have any forms or logins) must still be managed under GDPR, and sensitive data must be managed very carefully.
Data management and security
Finally, another critical component of GDPR is the management and security of personal and sensitive data. While concepts like safe harbor already existed in the EU, this legislation introduces more stringent rules regarding the management and storage of data. Most notably, data processors and controllers are both required to store no more data than necessary, for no longer than necessary, according to a principle called “data minimization”.
The legislation also lays out some guidelines for data security, although more specific policies are required for programs like the EU-US Privacy Shield. The most well-defined security policy is around data breaches, which require that people are notified within 72 hours of an incident.
While data security is already an important issue for universities, this legislation certainly adds an incentive for universities to be diligent stewards of data.
What are my risks?
No one knows for sure the extent to which EU agencies will enforce these policies on universities in the United States. While many prominent cloud vendors have in Higher Ed have minimized the risk on American universities (correctly identifying that these institutions are not the primary targets of this legislation), the fact remains that the broad, extensive language used in the legislation could have implications for almost every school in the nation.
Our recommendation is to allow GDPR to serve its intended purpose: to bring data privacy and security into focus for your institution. Doing so will not only reduce your regulatory risk, but also benefit your students and employees.
How do I get started?
With the regulation coming in less than a week, I’d expect most universities at a higher risk have already started implementing policies. But for institutions who may not have a large footprint in the EU, here are a couple of easy steps to get you prepared for GDPR:
- Identify the person(s) in the organization who should own data privacy and compliance, designate them your “Data Protection Officer”, and give them oversight over the institution’s data practices.
- Get leadership buy-in for making data privacy a priority. Many of the changes this regulation requires are as philosophical as operational. Make sure leadership understands the importance of data privacy and security.
- Conduct a data audit. This will help your team ensure that your privacy policies are up to date, your security systems are sound, and you are practicing data minimization. This should include a vendor assessment.
- Join the community. Given the ambiguous language of this legislation, it will be important to stay up to date with cases and precedents, particularly in higher education. To do so, I recommend joining communities like Educause’s Privacy Group and JISC.
To conclude, GDPR is an incredibly extensive regulation and at this point in time, achieving compliance may seem like a huge undertaking. However, I encourage universities to focus on the spirit of the regulation – that we have an obligation to our constituents to manage their data responsibly and ethically. I am confident that most universities and vendors already do so, and I believe that this legislation will encourage the entire community to engage in dialogue and implement processes that will positively affect our community.
We all know there is never a shortage of projects to pursue, but I believe shifting some of our focus to data privacy and security in light of this regulation will be hugely beneficial to Higher Ed.
- AACRAO: A great summary of how GDPR affects Higher Ed.
- Educause – Our community in the US dedicated to Higher Ed. There are several great articles, lectures, and working groups dedicated to GDPR. Joining the Privacy Group is particularly valuable for GDPR questions.
- JISC – A community in the UK focused on education, this website has excellent resources and forums dedicated to GDPR. Some of your most practical questions may be answered here.
- GDPR – The full regulation text.
- Data Assessment – A checklist provided by the Information Commissioner’s Office (department that manages digital information in the UK) to help controllers determine if they are ready for GDPR
- HECVAT – For universities who wish to improve documentation and policies supporting data security, this robust security questionnaire helps universities understand the scope of security questions they should be considering with vendors.
Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
Gary Garofalo / About the Author
Gary is the co-founder and Chief Revenue Officer at Degree Analytics, where he focuses on developing new business relationships and partner success. He has spent his entire career using data and analytics to improve business operations and strategy. Gary believes the concept of the “Smart Campus” will be pivotal for universities adapt to the future of education, and is passionate about delivering products to enhance the student experience.