GDPR Compliance Checklist for Higher Education

American higher education institutions who process data of students from the EU are scrambling to ensure they’re compliant with the May 25th deadline of the GDPR.

To help, here is a checklist of items you’ll want to follow. This is a good starting point for any institution who is looking for a foundational compliance plan, but does not constitute legal advice or an actual compliance plan. Your individual institutional climate is going to dictate the specifics of how you comply with the GDPR; what I’ve done for you in this article is to give you the what and the why.

This is a good checklist if you are:

  • a community college or university in America and need a good start GDPR compliance at your institution
  • already in the process of GDPR compliance and looking for items you may have overlooked or missed
  • consulting with colleges on GDPR compliance

Please note: Your Chief Technology/Information Officer and your Legal Counsel are going to be the most important folks in ensuring your institution is compliant with the GDPR. Legal counsel should be asking questions and outlining areas where you may be exposed to legal risk, and your Information Systems managers should be able to answer whether you are or are not in compliance — and develop plans to work toward mitigating legal risks.

GDPR Compliance Checklist

In terms of data, ensure your institution has has:

  1. A list of all types of personal information it holds, the source of that information, who you share it with, what you do with it, and how long you will keep it (GDPR Article 30)
  2. A list of places where it keeps personal information and the ways data flows between them (GDPR Article 30)
  3. A publicly accessible privacy policy that outlines all processes related to personal data (GDPR Article 30) and includes a lawful basis to explain why the company needs to process personal information (GDPR Article 6)

In terms of management and accountability, your institution MUST:

  1. Appoint a Data Protection Officer (DPO) (GDPR Article 37)
  2. Create awareness among decision-makers about GDPR guidelines (GDPR Article 25)
  3. Audit and ensure all technical security practices are up to date (GDPR Article 25)
  4. Train staff on data protection practices (GDPR Article 25)
  5. List the vendors who process our data (e.g., “sub-processors”) and promulgate our data relationship with them via your privacy policy (GDPR Article 28)
  6. Appoint an EU representative who could be contacted by a local authority should a concern arise (GDPR Article 27)
  7. Audit and deploy measures to report data breaches to local authority and to students involved in the breach within 72 hours (GDPR Article 33; GDPR Article 34)
  8. Ensure contracts are in place with any vendor or “data processor” that your institution shares data with (GDPR Article 29)

In terms of student rights protected by the GDPR, your institution must allow students to:

  1. Easily request access to their personal information (GDPR Article 15)
  2. Easily update their own personal information to keep it accurate (GDPR Article 16)
  3. Have their data automatically deleted when your institution has no more use for it (GDPR Article 5)
  4. Easily request deletion of their personal data (GDPR Article 17)
  5. Easily request that your institution stop processing their data (GDPR Article 18)
  6. Easily request that their data be delivered to themselves or a third-party (GDPR Article 20)
  7. Easily object to profiling or automated decision making that could impact them (GDPR Article 22)

In terms of ensuring you have consent from students when processing their information, your institution MUST:

  1. Ask for consent when you start processing a student’s information (GDPR Article 7)
  2. Clearly outline what it is you are doing with their data in your privacy policy (GDPR Article 7.2)
  3. Make it as easy for your students to withdraw consent as easy as it was to give it in the first place (GDPR Article 7.3)
  4. Inform existing students whenever your institution updates your privacy policy (GDPR Article 7)

Finally, your Information Systems managers MUST:

  1. Regularly review policies for changes and effectiveness, and regularly review changes in data handling, storage, processing, and dissemination procedures and policies among your vendors (GDPR Article 25).

While this checklist is not exhaustive, it should give American community colleges and universities some solid footing to begin critically looking at their institution through the lens of legal compliance with the GDPR.

Jesse Lawson is the author of the bestselling book Data Science in Higher Education, a step-by-step introduction to machine learning for institutional researchers. He is an information systems professional at a public community college in California, and regularly contributes to statewide dialogue on data, artificial intelligence, and predictive analytics.