GDPR Compliance in Higher Education

Most of us have gotten more than our fair share of GDPR emails in recent months.

Businesses and education institutions alike have been scrambling to update their privacy policies as the new data privacy law went into effect on Friday, May 25, 2018.

The new General Data Protection Regulation (GDPR) is forcing everyone to take a closer look out how they collect and handle personal data.

Most educational institutions are taking one of two common approaches:

  1. Avoidance
  2. Panic

We recently spoke with Mark McConahay, Associate Vice Provost and Registrar at Indiana University, Bloomington and the Vice President of Information Technology at the American Association of Collegiate Registrars and Admissions Officers (AACRAO).

During our conversation on the Enrollment Growth University podcast, he offered that the best approach is somewhere in the middle of these two extremes.

When Does GDPR Apply?

For U.S. education institutions, international recruitment is a natural first exposure point to think about. Since GDPR aims to protect the personal data of EU citizens, this can be a natural area of concern for institutions based here in the U.S.

However, McConahay pointed out three other areas may require your attention, as well:

1. Online Education

Many universities are gaining international students at a high rate throughout their various online education programs.  If any portion of your online educations student base is made up of EU citizens, you’ll want to ensure that you have GDPR compliance plans in place.

McConahay offered that time will likely provide more guidance on interpretation on the application of the GDPR, but institutions should also take precautions with data from students who are residing in EU countries, even if they aren’t EU citizens.

2. Gray Areas

Again, some areas on the exact application of the GDPR are less than clear at the moment.

So, it may be best to err on the side of caution.

A few, possible gray areas to think about in your student records and data management plan might include:

Consortial relationships with European institutions that are within the EU.  Taking a close look at what information you are sharing between your institutions will be a step in the right direction.

Students studying abroad in the EU could be another area of future concern.

What Defines Lawful Basis?

As you look at your data management plans in attempts to ensure compliance with the GDPR, it’s important to think about two ways that define legal and appropriate use of individuals’ private data:

1. When Necessary

As an educational institution, students enter into an agreement with your university to deliver services, including instruction and assessment on performance.

In this regard, academic records are pretty straightforward, since they are a natural part of the record-keeping process needed to fulfill the contract the student entered into with your institution.

Advising case management records might be a different story.  It could be debated whether or note these sorts of records are completely necessary to retain, should the individual want them to be deleted.

This leads into the natural, second part of lawful usage of private data.

2. With Consent

Part of the aim of the GDPR is to allow the individual to limit their digital data footprint from spreading beyond their reach.

McConahay believes that this shouldn’t be confused with the “right to be forgotten.”

The GDPR shouldn’t open the door for students to be able to ask for the deletion of records of poor academic performance.

The response could and should be something along these lines, McConahay explained, “We need to keep those records permanently, and we explain[ed] that to you as we enter into that contract.

What is the Financial Impact?

The new GDPR is a law with real penalties, versus a previous version that was a set of guidelines to be followed in years past.

While it’s more likely large, tech giants would be pursued for the high dollar penalties described in the GDPR, McConahay suggests not to take the potential fines lightly, as they are quite substantial.

More Than Fines…

The financial impact could even come in a different way than you might expect, as well.

Imagine a prospective student is choosing between your institution and another.  One responds to a students questions about compliance policies aligning with the GDPR.  They other offers a puzzled, “I’m not sure.”

It’s not far-fetched to believe that the institution with the documented and accessible compliance plan could have a competitive edge in that student’s decision on where to attend.

Having a plan in place could help protection your institution in the case of a complaint of non-compliance, as well.

The costs of reputation management may be too much to bear, even if fines never actually hit your institution themselves.

What Can You Do?

1. Know all of your external data sources

Student information that you record and store can come from a lot of different sources.  Think about all of them carefully and have discussions about how that will be managed.

Common sources might include test score providers, College Board and many others.

2. Have a plan in place

Recognize that there are things up for interpretation.  According to McConahay, there is a lack of official guidance on interpretation and application of the GDPR, but if you can show that you have a plan, including specific policies and procedures, you’ll better protect your institution in the future. 

That effort could help you avoid heavy penalties in the future.

3. Assemble a Team

Start with your university’s legal counsel, then gather up anyone who regularly processes PII (personally identifiable information). Look at scenarios of information management among all of those people to see where the GDPR could apply.

Once you have a team in place to take a closer look at the impacts of the GDPR specific to your university, you’ll be able to have those internal discussions and ask the next important questions:

How are we going to interpret it?

What should our response be?

As McConahay suggested, you should be able to take a close look at the provisions laid out by the GDPR and find them reasonable.  Compliance should not be a daunting task.

Though it requires your attention (and a plan), don’t let the panic drive you to the point of being frightened by this new data privacy law.

Have a plan.  Document it. Be prepared to revise it as interpretations become more clear in the future.

Somewhere between avoidance and panic there will be a successful way forward for your institution.

This post is based on a podcast interview with Mark McConahay from Indiana University, Bloomington. To hear this episode, and many more like it, you can subscribe to Enrollment Growth University.

If you don’t use iTunes, you can listen to every episode here.