GDPR and US Higher Education: What You Need to Know
Advances in technology give us powerful tools to use for work—but it also puts those same powerful tools into the hands of those with intent to use it for harm. This is the premise behind the European Union’s General Data Protection Regulation (GDPR). Since 2018, when GDPR went into effect, businesses and organizations have been transitioning their policies to comply with these stringent regulations.
This post provides detailed information about GDPR, including:
- An overview of GDPR.
- How GDPR applies to colleges and universities.
- What GDPR means for colleges and universities in the US.
- How GDPR affects student recruitment.
- How newly enacted US state privacy laws similar to GDPR will affect colleges and universities.
- What GDPR means for college and university faculty.
- What happens if your higher ed institution is not GDPR compliant.
- The benefits of GDPR in higher education.
- Ensuring GDPR compliance at your college or university.
- Tools to help you stay compliant with GDPR.
- GDPR and US higher education resources.
Colleges and universities that collect data from anyone physically living in the European Union (EU) in any form, including vendors, alumni, as well as students, are required to comply with GDPR. However, the governing body has yet to aggressively pass out fines, and even the fines levied have not been substantial. (Google’s $50 million euro fine accounts to only .04 percent of their 2018 revenue). Still, it makes sense to become and stay in compliance. Data protection isn’t going away; if anything, it’s an issue that will continue to grow in importance.
Before GDPR was implemented in 2018, there was no single regulation enforcing online data protection. GDPR changed that by modernizing laws that require businesses and public sector organizations to protect the personal information they gather and process from individuals and boosting the rights of individuals so that they have more control over their information.
GDPR protects data at every step, including collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, and erasure or destruction. There are seven principles guiding GDPR compliance in higher education:
- Information is gathered with consent lawfully, fairly, and with transparency.
- Gathering and processing information must be for a specific purpose and used only within that limitation.
- Minimal data should be collected relative to its specific purpose and no more.
- Data must be kept accurate, and any incorrect data must be destroyed or revised as soon as possible.
- Storage limitations apply; data should be kept only as long as needed as individuals have a right to be forgotten.
- Individuals should expect data to be gathered, processed, and stored confidentially and with integrity.
- The organizations gathering data are accountable for all data gathering and processing.
GDPR in higher education is guided by seven principles.
Image courtesy of Sphere Identity
Yes. Almost every US college or university has an international student, prospective student, distance learning student, alumnus, donor, vendor, etc. This means that any data collected about those individuals is protected by GDPR standards. For example, a prospective student living in the EU might complete a form on your website—that data must then be protected. While US data protection laws haven’t caught up to the strict requirements of GDPR, it’s only a matter of time before they do. In fact, several states such as California and Virginia have already enacted similar legislation.
In contrast to HIPAA, FERPA, and other US data protection laws, European law regards privacy as a fundamental right. What this means for US colleges and universities is that any individual who lives in the European Union who may have provided data to your school is protected by GDPR.
Although GDPR has been in effect since 2018, many colleges and universities continue to struggle with how best to implement the rules. One reason is that the law in incredibly complex. Specifically, the law gives students the right to:
- Request that data be delivered to themselves or a third party.
- Ask your school to stop processing their data.
- Ask for all data to be automatically deleted when your school has no more use for it.
- Have access to their personal information.
- Be able to update their own personal information.
- Ask your school to purge all personal records of a student.
- Object to any automated decisions that could affect them.
US colleges and universities are responsible for ensuring that data from EU students is safeguarded according to GDPR standards.
GDPR in higher education requires adherence to EU laws rather than US data protection laws.
Image courtesy of Marketplace.org
Recruitment efforts for US students are not subject to GDPR laws. However, international student recruitment is. Students who live in the European Union—including Americans—are protected by GDPR. However, EU students who move to the US to attend college are not. The key differentiator is location. Any data from individuals physically living in the EU is covered.
Your efforts for GDPR and international student recruitment should be considered when marketing, as marketing data also falls under GDPR protection. You may not be actively marketing to prospective students in the EU, but if one completes an online form and provides data, then that data is protected. What about your institution’s newsletter? If it is sent to alumni living in the EU, it’s GDPR protected.
With no consensus at the federal level, states are taking it upon themselves to establish stricter privacy laws for their citizens. After the California Consumer Privacy Act was signed into law in 2018, other states have followed suit by proposing similar legislation to strengthen consumer privacy protection. You can check to see if your state is enacting legislation by going to the International Association of Privacy Professional’s Comparison Table and Resource Center.
This chart shows a state-by-state comparison of privacy laws.
Data courtesy of IAPP
Any information for human resources purposes also falls under GDPR regulations. Faculty and graduate students who are recruited to work at your college or university from within the US such as a conference are not covered by GDPR; faculty and students recruited from a conference in an EU country are.
Likewise, if faculty are recruiting individuals for clinical trials or research studies, any data collected from individuals located in the EU are subject to GDPR regulations.
If your college or university is identified as GDPR non-compliant, there are several consequences:
- A warning may be issued to notify the college or university of non-compliance. This gives your school time to get GDPR compliant campus-wide.
- An audit might be required to review your institution’s official privacy policies, and it might not be just one. Non-compliant institutions may be required to undergo routine data protection audits.
- Serious fines can be levied for failure to comply.
- Individuals can sue your institution if GDPR standards are not followed.
Non-compliance is a serious matter and one that EU governmental officials are not afraid to tackle.
Steep fines are part of the penalties for non-compliance with GDPR in higher education.
Image courtesy of ARMA.org
GDPR requires substantial time and resources to meet compliance, but there are also benefits to the rules. Improvements in data protection for everyone on your campus provides some insurance against security breaches. At the very least, you’ll have a campus-wide process in place.
The data your school does collect will be more targeted and higher in quality. You won’t have to weed through as much to find the students who are really interested in engaging with you.
Stronger standards also make everyone more aware of how they interact with and protect data—from others as well their own data.
Data protection is a campus-wide effort that involves every department to ensure a smooth and comprehensive implementation. Web professionals, marketers, administrators, and IT should all be involved in the process.
If possible, bring together everyone involved to brainstorm strengths and weaknesses of your current data protection plan and how to make improvements going forward. One way to do this is to create discussion by asking these critical questions:
- What data is your college or university currently gathering?
- Where is the data collected and stored?
- Why is certain data collected?
- Who has access to data?
- What is the current process for individuals to explore how their data is collected and used?
- How long is data kept?
Automating protection is another safeguard, something that you can implement for online data using a quality web content management system (CMS). Education is also key. Consider providing workshops, webcasts, and other materials both at the onset of implementation and then periodically to stay current.
Image courtesy of Mt. San Antonio College
Staying compliant with GDPR is complicated, but automating some of the work will allow you to focus on other aspects of compliance. One of the best ways to do this is to invest a quality CMS.
Specifically, a good CMS will make it easy to:
- Edit content so that your privacy policies stay current and inaccurate information can be deleted upon finding.
- Collaborate across teams to maintain GDPR compliance.
- Log edits and simplify audits.
- Prevent data breaches with a decoupled architecture that other database-driven systems experience.
- Collect only visitor information requested on a form.
- Submit forms through a secure server-side module.
- Export or delete form submissions within the CMS.
- Meet all email campaign anti-spam laws.
- Maintain an open platform with enterprise level APIs so custom codes can be written to perform institution-specific GDPR processes.
To learn more about next steps, check out these resources to keep your college or university in compliance:
- Get news directly from the source on the EU GDPR website.
- Anna Krenkel’s article on the EAB site discusses four things you need to know about GDPR.
- EDUCAUSE provides 4 Things You Should Know About the GDPR (video), and discusses The Yin and Yang of Security and Privacy.
- The International Conference on Availability, Reliability and Security (ARES) explores the protection of personal data versus the obstacles for sharing data.
- Learn more about what the US is doing regarding data privacy.
- The International Conference on Artificial Intelligence and Law points out holes in the GDPR regulation.
- The ACM Conference on Data and Application Security and Privacy provides a simplified privacy guide to explain the GDPR and risk levels.
- WCET has conducted research on GDPR and what you can do now to prepare for compliance.
- Trying to explain GDPR to your boss? The Center for Digital Education does a good job of highlighting the pros and cons.
- The XPAN Law Group has a series of blogs devoted to GDPR issues from a legal standpoint.
- EDUCAUSE provides a roundup of GDPR articles.
Staying compliant with GDPR is a constant process, but one with ethical and legal implications. It is in your institution’s best interest to implement sweeping protection policies sooner than later, and share this post with colleagues to make sure your entire team understands the critical importance of protecting and securing your college or university’s data.
Request a demo of Omni CMS to see how a quality CMS can help you stay compliant.
Last updated: February 5, 2021