GDPR and Higher Ed: Are You Ready?

Editor’s Note: The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this article should not be construed as, and should not be relied upon for, legal advice.

The GDPR — the General Data Protection Regulation — goes into effect on May 25, 2018, signaling a huge change in the way businesses and organizations think about, collect and store personal data, at least with respect to individuals within the EU. It will also likely have significant implications for many American colleges and universities.

Here in the U.S., data privacy has been much in the news lately. Following social media giant Facebook’s admission that 87 million of its users may have had their data hijacked by Cambridge Analytica, a UK consultant that played an active role during the 2016 Presidential campaign, suddenly data privacy is a hot topic.

Facebook founder, Mark Zuckerberg, found himself testifying before Congress and apologizing for the massive data harvest. Meanwhile, users angered by the lax security of their private data mounted #DeleteFacebook campaigns online and the New York Times editorial page began calling for “a serious examination of how American privacy regulations can be strengthened.” Mainstream media reveled in covering the scandal.

But, while Americans are worrying about their Facebook data, Europe is blazing ahead with implementing the most comprehensive and far-reaching data protection legislation in the last 20 years — and setting the gold standard for the privacy of personal data.

What Does the GDPR Do?

The GDPR consolidates privacy regulations across the EU member states. Unlike the broad framework of the Data Protection Directive (DPD) of 1995 which precedes it and had to be legislated by individual member states, GDPR is akin to federal law here in the U.S. It’s legally binding across all 28 member states, making compliance requirements consistent across the EU and providing uniform protections for all EU residents. 

The GDPR has two essential components: a data privacy mandate and a data security mandate. It governs both data controllers and data processors. (A data controller is an entity that determines the purposes, conditions and means of processing personal data; the processor processes the personal data on behalf of a controller.)

On the privacy front, GDPR significantly enhances personal privacy rights for EU “data subjects,” granting them eight important rights:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure (frequently referred to as the “right to be forgotten”)
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

OK, But What Do These Rights Mean in Practice?

Clarity and transparency are the hallmarks of the GDPR. The legislation places much stricter requirements on consent for the use of personal data and broadens the definition of what constitutes personal data. 

• The regulation covers all facets of the data relationship: collection, retention, deletion, breaches and disclosure of personal data.
• Who are the “data subjects” being protected? Data subjects granted these protections are individuals located within the EU, whatever their nationality or permanent place of residence.
• What kind of personal data are we talking about? Pretty much everything. For the purposes of GDPR, data relates to anything that can be used to directly or indirectly identify an individual. This includes data such as name, phone number and address, of course; but it also means an IP address, a cultural profile, a photo, bank details, medical information, social media activities or an email address. The law applies to data processed both manually and by automated means and to data stored both digitally and physically, for instance, in filing cabinets.
• Specific consent for data use is paramount with the GDPR. Consent must be freely given and specific to that transaction. Under the legislation, the emphasis is on the opt-in, rather than the opt-out. Data subjects must give their consent for specific use of data before you can collect any personal information. And it is the data collector/processor’s responsibility to provide a clear, easy-to-understand way for users to opt in to sharing information rather than forcing them to opt out if they don’t want to. With some exceptions, it is also the collector’s/processor’s responsibility to maintain proof of consent to use this data.
• With GDPR, users cannot be snowballed when it comes to privacy. No more long, impossible-to-read agreements full of legalese, no more blanket approvals, no more pre-checked boxes or automatic opt-ins: 

“[T]he request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. ”

• Among the new rules is the “right to be forgotten,” which allows individuals to request that an organization delete or stop using their data. Individuals also have the right to request all of the personal data about them that a company is keeping and to transfer that data anywhere they want.
• The regulation provides additional protection of especially sensitive data, including racial and ethnic origin, religion, sexual orientation and political ideology.
• Additional protection is also granted to data subjects under the age of 16, with parental consent required to process their data for any online service.
• Data collectors and processors must have a good reason for collecting information. Although the regulation aims to strike a balance between business interests and individual privacy, the legislation makes data minimization a fundamental principle of personal privacy. In other words, you can no longer collect data because you might one day use it; any information you obtain must be for a legitimate reason.
• The GDPR also enforces the timeline for response to any data breach: organizations must inform affected individuals of breaches within 72 hours of their occurrence.

Moreover, the GDPR is backed by impressive enforcement powers. Organizations that fail to comply with the regulation can face steep penalties, depending on the specific article violations:

• 2% of global turnover (or €10M whichever is higher)
• 4% of global turnover (or €20M whichever is higher)

In addition, the GDPR introduces the right to a judicial remedy and the right to compensation for data subjects. So in addition to being on the receiving end of an enforcement action, violators of the regulation could be subject to court proceedings and have to pay compensation to data subjects whose rights are infringed under GDPR.

Who Does It Affect?

In the global economy we live in, it’s almost easier to ask who the GDPR doesn’t affect. According to the law, it applies to:

• Organizations within the EU
• Organizations outside the EU if they offer goods or services to or “monitor the behavior” of EU data subjects
• All organizations processing and holding personal data of data subjects residing in the EU — regardless of whether they have any physical presence in the EU 

Unlike the previous directive it replaces, which required a physical presence for mandated compliance (for instance, a processing center or even just a server in the EU), GDPR coverage extends to organizations with no physical EU footprint — if they are processing information of EU data subjects residing in the EU. (“Cloud” services must also comply.)

Does it Affect Your Higher Ed Institution?

Probably, yes.

When it comes to higher ed institutions, there are two things to keep in mind: First, higher ed lives and breathes data: data about students, data about applicants, research data, employee data, fundraising data. Higher ed institutions collect, keep and process a lot of data.

Second, almost every single U.S. higher ed institution has some sort of data relationship with the EU or with data subjects based in the EU. If you have EU residents as students, if you are providing distance education programs within the EU, if you have study abroad programs or international faculty exchanges, if you accept donations from alumni in the EU, if international students engage with your website to request information or to fill out application forms, if you have recruitment efforts aimed at international students residing in the EU — your institution is very likely impacted!

Again, any organization that collects and/or processes data relating to individuals in the EU, regardless of whether or not the organization is located within the EU, or whether the individuals are EU citizens or permanent residents, needs to be informed and needs to take action.

What You Need to Do

With just a few weeks to go until GDPR kicks in, many higher ed institutions remain unprepared, or even unaware of the coming changes. If you haven’t learned about the potential GDPR impacts on your institution or made any preparations for GDPR, you cannot wait any longer to begin. 

• Seek legal counsel. GDPR is lengthy and complex legislation, and it can affect an educational institution in a myriad of ways. Organizations such as the National Association of College and University Attorneys (NACUA) may be able to help.
• Create institutional awareness of the GDPR. Everyone should have a basic awareness of the regulations, their upcoming implementation and how it may affect your institution. If GDPR regulations apply to your institution, compliance is not likely to be a one-person responsibility — it’s going to take a concentrated effort by many departments and individuals working together. But if there is going to be a point person in your institution leading your efforts, communicate that clearly throughout your educational community.
• Audit the data you have. Take stock of what information you are keeping on prospects, students, alumni and staff and how many of them may fall under GDPR protection.

• Audit your processes for data collection, usage and storage. If you have data on individuals who may be protected under GDPR, determine if your data processing is legal under the new regulations. Review your privacy policy and online forms and update them as necessary. (Don’t forget website cookie policies.)
• Know the data rights of individuals under GDPR. There are many websites with useful information; you might want to start with the official website of the GDPR.
• Determine a plan for handling individual requests to retrieve, correct or erase data within the GDPR rules and allowable timeline. (Again, this applies only to data subjects residing in the EU.)
• Develop a data breach policy. A data breach policy is something that should be in place regardless of GDPR. In addition, it’s also important to know the requirements to report breaches to affected individuals protected under GDPR. 
• GDPR requires a top to bottom rethinking of how data is collected and why. The legislation presents a good opportunity for any organization to be more intentional about the data it collects and keeps. Do you really need it? Under GDPR, you cannot collect more information than you need to provide whatever service you are offering.
• Check that all third-party vendors you work with are in compliance if they collect or process information for you about EU data subjects. For instance, think about your email marketing lists. If you are using an email service provider (ESP) and EU data subjects are part of your email database, the ESP also must be compliant. Reputable ESPs like MailChimp, Constant Contact and iContact have already taken steps to comply with the new regulations, but it’s your responsibility to double check any third-party vendor you may be using.

Are “they” going to come after you and fine you immediately if you are not in full compliance on May 25? Probably not. EU regulators will most likely accept good faith efforts on the part of higher ed institutions and other businesses and organizations. For instance, France’s data protection authority, CNIL, has already publicly acknowledged how difficult complete GPDR compliance is going to be on day one; they recently issued a statement saying that companies can expect lenient treatment if they have acted in good faith to be compliant. Other European authorities have expressed similar indications.

There is undoubtedly going to be a learning curve both for EU regulators and the businesses and organizations at the other end of the new regulation. And it’s going to take some time before anyone has a clear understanding of how GDPR will be refined, interpreted and enforced by the authorities of the EU member states. Two things are clear, though: ignorance is no excuse and non-compliance is not an option.

It’s Really a Glass Half Full

Of course, the GDPR is going to force a lot of businesses, organizations and higher ed institutions to rethink the way they handle data privacy; there will be a lot of hard work and a great deal of diligence in store for affected institutions to ensure compliance under the new regulation.

But GDPR also represents an opportunity to establish better institutional privacy policies and better management practices for data governance, whether or not that data applies to GDPR-protected individuals. 

With the uproar in the U.S. about the Cambridge Analytica data capture and other countries also considering similar legislation, many businesses and higher ed institutions may find it easier to apply GDPR-level protection to all users, not just those affected within the EU. And, increasingly, the GDPR is being seen as a positive movement that should be implemented globally. Even Facebook’s Mark Zuckerberg indicated as much in his Congressional testimony when he said that the social media giant agrees “in spirit” with the protections. (He has been invited by the European Parliament to appear before them as well.)

Will anything change here in the U.S.? It’s too soon to tell whether US legislative authorities will act to strengthen data privacy already governed by a hodgepodge of existing regulations like FERPA, HIPPA, COPPA, the Privacy Act, and FTC privacy and data safeguarding rules.

In the meantime, Facebook (who stands to be hugely impacted by GDPR) has begun to adapt to the upcoming changes — including limiting its liabilities under GDPR.

One final note: Please keep in mind that we are higher ed marketing experts, not lawyers. This blog post is provided for informational purposes only and is not a substitute for legal advice. Reliance on any information contained herein is at your own risk, and you should consult your legal counsel for advice on how to interpret GDPR compliance.