Advances in technology give us powerful tools to use for work—but it also puts those same powerful tools into the hands of those with intent to use it for harm. This is the premise behind the European Union’s General Data Protection Regulation (GDPR). Since 2018, when GDPR went into effect, businesses and organizations have been transitioning their policies to comply with these stringent regulations.
This post provides detailed information about GDPR, including:
Colleges and universities that collect data from anyone physically living in the European Union (EU) in any form, including vendors, alumni, as well as students, are required to comply with GDPR. However, the governing body has yet to aggressively pass out fines, and even the fines levied have not been substantial. (Google’s $50 million euro fine accounts to only .04 percent of their 2018 revenue). Still, it makes sense to become and stay in compliance. Data protection isn’t going away; if anything, it’s an issue that will continue to grow in importance.
Before GDPR was implemented in 2018, there was no single regulation enforcing online data protection. GDPR changed that by modernizing laws that require businesses and public sector organizations to protect the personal information they gather and process from individuals and boosting the rights of individuals so that they have more control over their information.
GDPR protects data at every step, including collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, and erasure or destruction. There are seven principles guiding GDPR compliance in higher education:
GDPR in higher education is guided by seven principles.
Image courtesy of Sphere Identity
Yes. Almost every US college or university has an international student, prospective student, distance learning student, alumnus, donor, vendor, etc. This means that any data collected about those individuals is protected by GDPR standards. For example, a prospective student living in the EU might complete a form on your website—that data must then be protected. While US data protection laws haven’t caught up to the strict requirements of GDPR, it’s only a matter of time before they do. In fact, several states such as California and Virginia have already enacted similar legislation.
In contrast to HIPAA, FERPA, and other US data protection laws, European law regards privacy as a fundamental right. What this means for US colleges and universities is that any individual who lives in the European Union who may have provided data to your school is protected by GDPR.
Although GDPR has been in effect since 2018, many colleges and universities continue to struggle with how best to implement the rules. One reason is that the law in incredibly complex. Specifically, the law gives students the right to:
US colleges and universities are responsible for ensuring that data from EU students is safeguarded according to GDPR standards.
GDPR in higher education requires adherence to EU laws rather than US data protection laws.
Image courtesy of Marketplace.org
Recruitment efforts for US students are not subject to GDPR laws. However, international student recruitment is. Students who live in the European Union—including Americans—are protected by GDPR. However, EU students who move to the US to attend college are not. The key differentiator is location. Any data from individuals physically living in the EU is covered.
Your efforts for GDPR and international student recruitment should be considered when marketing, as marketing data also falls under GDPR protection. You may not be actively marketing to prospective students in the EU, but if one completes an online form and provides data, then that data is protected. What about your institution’s newsletter? If it is sent to alumni living in the EU, it’s GDPR protected.
With no consensus at the federal level, states are taking it upon themselves to establish stricter privacy laws for their citizens. After the California Consumer Privacy Act was signed into law in 2018, other states have followed suit by proposing similar legislation to strengthen consumer privacy protection. You can check to see if your state is enacting legislation by going to the International Association of Privacy Professional’s Comparison Table and Resource Center.
This chart shows a state-by-state comparison of privacy laws.
Data courtesy of IAPP
Any information for human resources purposes also falls under GDPR regulations. Faculty and graduate students who are recruited to work at your college or university from within the US such as a conference are not covered by GDPR; faculty and students recruited from a conference in an EU country are.
Likewise, if faculty are recruiting individuals for clinical trials or research studies, any data collected from individuals located in the EU are subject to GDPR regulations.
If your college or university is identified as GDPR non-compliant, there are several consequences:
Non-compliance is a serious matter and one that EU governmental officials are not afraid to tackle.
Steep fines are part of the penalties for non-compliance with GDPR in higher education.
Image courtesy of ARMA.org
GDPR requires substantial time and resources to meet compliance, but there are also benefits to the rules. Improvements in data protection for everyone on your campus provides some insurance against security breaches. At the very least, you’ll have a campus-wide process in place.
The data your school does collect will be more targeted and higher in quality. You won’t have to weed through as much to find the students who are really interested in engaging with you.
Stronger standards also make everyone more aware of how they interact with and protect data—from others as well their own data.
Data protection is a campus-wide effort that involves every department to ensure a smooth and comprehensive implementation. Web professionals, marketers, administrators, and IT should all be involved in the process.
If possible, bring together everyone involved to brainstorm strengths and weaknesses of your current data protection plan and how to make improvements going forward. One way to do this is to create discussion by asking these critical questions:
Automating protection is another safeguard, something that you can implement for online data using a quality web content management system (CMS). Education is also key. Consider providing workshops, webcasts, and other materials both at the onset of implementation and then periodically to stay current.
And finally, write a clear privacy policy defining what personal data is being collected, and how it is being used and why.
US colleges and universities should have a clear privacy policy available on their website.
Image courtesy of Mt. San Antonio College
Staying compliant with GDPR is complicated, but automating some of the work will allow you to focus on other aspects of compliance. One of the best ways to do this is to invest a quality CMS.
Specifically, a good CMS will make it easy to:
To learn more about next steps, check out these resources to keep your college or university in compliance:
Staying compliant with GDPR is a constant process, but one with ethical and legal implications. It is in your institution’s best interest to implement sweeping protection policies sooner than later, and share this post with colleagues to make sure your entire team understands the critical importance of protecting and securing your college or university’s data.
Request a demo of Modern Campus CMS to see how a quality CMS can help you stay compliant.
Last updated: February 5, 2021