The EU’s General Data Protection Regulation (GDPR) has been gaining a lot of attention lately, as the law’s effective date (May 25, 2018) looms closer. Most of the attention, however, has been focused on commercial entities — businesses that are located in or have customers in the EU. But one huge sector has attracted little notice in the ensuing conversations: American universities. Since there hasn’t been a lot of buzz about it, I’m concerned that some universities may think they’re not affected — but they are.
What American universities need to know about the GDPR
What is the GDPR?
The GDPR is a law passed by the EU to apply fair, standardized, consistent guidelines to the collection and use of personal data. When it goes into effect on May 25, 2018, it will apply not only to EU countries, but also to any business or organization that has customers (even just a few) who are EU citizens.
What does that have to do with universities?
The GDPR applies to any university that has:
● Students from EU countries
● Employees (professors, administrative and support staff, etc.) from EU countries
● Students studying abroad in EU countries under certain circumstances
● Research grants from EU countries
● Donations from alumnae who are citizens of EU countries
The takeaway here is that possessing data on even a single EU citizen obligates you to comply with the law’s requirements. That also extends to any third parties (such as outsourcing vendors) that may come in contact with the data.
For many universities, complying with the GDPR will require changes both on a strategic level — what data they collect, how they use it, policies regarding their digital communications, etc. — as well as on a tactical level (such as making sure consent forms and privacy notifications meet GDPR requirements).
Your journey to GDPR compliance
The most important thing to remember about the GDPR is that it’s not something you can just layer on top of existing policies and processes. While existing policies and processes can help you become compliant with aspects of the GDPR, GDPR compliance is foundational, as integral a part of your operations as budgets, curriculum, or student life. It has to become inseparable from “business as usual.” To accomplish that, you have to start at the very beginning.
Start by performing a data audit
The first step in achieving compliance is to figure out what data you’re collecting, where it’s stored, who has access to it, and what you do with it. It’s a particularly challenging step for institutes of higher education because different departments tend to operate somewhat independently. Examples of data collected and stored by universities may include things like:
● Family income, used to determine scholarship eligibility
● Demographic data, used to further diversity efforts
● Academic records
● Health information
● Records of website use and research
● Religious affiliations
● Records of extracurricular memberships and activities
● Records of alumni donations
● Photographs and other personal information associated with student IDs
A data audit serves two purposes. First, the GDPR requires you to document what data you have, where it comes from, how you use it, who has access to it, etc. Second, conducting a data audit can be a lot like cleaning out your attic before a move: You discover stuff you forgot you ever had. If you determine that you have data that you don’t need, get rid of it. That reduces both your liability and your workload.
Identify the touchpoints that require consent and/or notification
The GDPR has very specific rules when it comes to consumers’ right to privacy, requiring you not only to ask for consent before collecting data but also to provide clear notification regarding the data and its use.
Once you’ve completed your data audit, map it all out and identify the places where the GDPR requires you to ask for consent or provide notification. And don’t just go for the low-hanging fruit, because you’ll probably need to get consent and/or provide notification more often than you do currently.
One important tip is to take a high-level look at the various categories of data you’re collecting, because the GDPR treats certain types of data differently from others. For example, the law states that personal data can’t be used for automated decision-making. That presents a challenge for U.S. universities using demographic data to reach their Affirmative Action goals. There are, however, exceptions for data collected for statistical, historical, or scientific purposes. Therefore, universities may be able to maintain compliance while getting the data they need by developing explicit consent requests for certain types of information.
Develop GDPR-compliant copy
The law’s requirements regarding consent and notification are very specific and include things like:
● The legal rationale for collecting the data
● How long the data is kept
● Consumers’ right to access their data (which must be provided within 40 days of the request)
● Consumers’ right to request the deletion of their data
The law also states that the language used in notifications and consent requests must be simple and clear rather than indecipherable legalese, so even existing forms and notifications will probably need to be rewritten.
In addition, the requirements can vary based on the type of data being collected. The collection of data that is identified as “sensitive” under the GDPR requires explicit consent — an “opt in,” in other words. Collection of other types of data doesn’t require explicit consent, but it does require “unambiguous” consent, meaning that the request for consent is made using clear, easily understood language.
Develop a communication plan for breaches
The GDPR also has specific requirements for notification in the event of a data breach. While notifying consumers that their data may have been compromised is common, the GDPR imposes a timeline. Notification to those impacted must take place within the first 72 hours after a breach is detected. While universities may already have adopted data breach notification practices — 48 states in the US have laws requiring such action — but the DGPR may impose stricter requirements.
Determine whether the university needs a data protection officer (DPO)
The GDPR requires some entities to appoint a data protection officer (DPO) — someone whose primary responsibility is to safeguard personal data. According to the GDPR, a data protection officer is required for any organization that is a public authority, a definition that could conceivably apply to public universities. Since the boundaries of this part of the law haven’t been tested yet, it’s a good idea to consult with your legal advisor or a digital policy expert.
The importance of change management
As I mentioned earlier in this article, GDPR compliance isn’t something you can plaster onto existing processes. It truly is a ground-up transformation of your approach to data. And large organizations — universities in particular — are notoriously resistant to change. Without a comprehensive change management endeavor, you’re likely to get reactions ranging from superficial compliance to “If I ignore it long enough, maybe it will go away.”
What you really want, however, is for your university staff to internalize this new way of looking at data. That requires a coordinated, well-planned approach to change management, including things like:
● Explaining the reasons for the changes you’re making
● Outlining the consequences of not becoming compliant
● Providing specific instruction as to what university staff should do and should not do
● Providing support for those who have questions or need guidance
While May 25, 2018, is approaching quickly, there’s no need to panic. However, there is a lot universities need to do before the deadline, and there’s no more time left to waste. If you need help figuring out what to do and which steps to prioritize, I’ll be happy to help — just get in touch.