GDPR for Higher Education

Higher Education: GDPR Applies to You – PART 1

by | Mar 14, 2018 | GDPR Compliance | 0 comments

With the GDPR’s May 25th 2018 deadline fast approaching, many institutions are still not ready. Institutions of higher education whose primary base is outside of Europe may not be aware of the regulation and considered how the new regulation will affect them. This quick review will help determine what colleges and universities, outside of Europe, need to do to be ready for the GDPR.


What is the GDPR? — a quick review


The GDPR, the General Data Protection Regulation, sometimes referred to as the regulation, was passed two years ago by the European Union to standardize a number of issues regarding the handling and security of data as well as residents’ rights to their information. The regulation requires quicker security breach reporting (within 72-hours to the proper supervisory authorities as well as without “undue delay” to the data subjects themselves) and that companies have a data protection plan that complies with new, more stringent standards.


Additionally, the GDPR gives individuals living in Europe greater rights over their data. These rights include the ability to be forgotten and the ability to have personal data given back to that person in a commonly readable format (that they may move to another controller). The regulation also requires clearer consumer consent that means no more automatically checked boxes, no more hidden cookies, and no more legal language used to obscure or confuse.


Even if based outside of Europe, the GDPR will affect most higher education institutions. Despite the regulation being passed by the EU, it has global reach and significant consequences for those who fail to comply (up to roughly $23 million or 4% of global revenue, whichever is higher). Having had two years to prepare internal security processes and organizational shifts, the law goes into full force on May 25, 2018. There will be no extensions for compliance.

Are US Higher Education Institutions subject to complying with the GDPR?


The short answer is YES. Most Higher Education Institutions in the US will need to comply including private Universities, and State 2-year and 4-year Universities and colleges.


Quick Litmus Test:

  1. Does the Institution have a campus in or conduct study abroad programs in Europe?
  2. Does the Institution receive applications from any European based students or residents?
  3. Does the Institution supply distance learning to students in any of the 28 EU countries
  4. Does the Institution hold information on alumni, professors, or donors who live in Europe?


If you answered Yes to any of the 4 questions above, the GDPR applies. Data from EU residents or citizen’s, and any non-EU citizen residing in the EU and accessing that institution’s site from the EU, must be handled according to the new regulation.


According to the Director of Federal Relations and Policy Analysis of AASCU, Barmak Nassirian,   “US institutions with EU-based operations and those with significant numbers of EU residents as students —particularly those delivering distance education programs to such students within the EU— should be in the final stages of implementing GDPR-compliant practices now.” The now of that statement was August of 2017.


In more recent conversations, Nassirian has stated that institutions are “no where near ready” and “I seriously doubt that any institution in the U.S. will be even remotely in compliance on May 25.” He goes on to say that people haven’t “even know that this existed, let alone taken steps to comply.”

How does an institution meet the new regulation’s requirements?


Most US standards of privacy protection do not meet the new stricter European Union standards, so most colleges and universities —even though they may be following FERPA— will have to make some changes to meet the GDPR’s requirements for data protection and consumer controls. On the upside, the bulk of the new regulation is simply good data protection procedures that any institution will benefit from implementing. Viewed this way, the GDPR is an opportunity for institutions to improve how they manage data and protect students, alumni, and employees.


Three main areas of focus:


1: Consent

Consent must be freely given and clearly asked for. Boxes cannot be pre-checked, and the language used must be easily understood —no more legalese. Additionally, how the data will be used, stored, shared, or moved must be clearly and succinctly stated.


2: Data privacy

The EU views data privacy as an extension of personal rights. One’s personal data belongs to the individual and has the “right to be forgotten.” According to the GDPR, if someone asks to have their data erased, the data must be erased. Also, if someone asks for their data to be returned to them, it must be provided to them in an easily movable and readable manner. This data they can then move to another provider/institution.


3: Data security

One of the primary points under data security is the requirement to report breaches within 72 hours to the appropriate European governing agency and to data subjects “without undue delay.”


“When you step back, the GDPR is really about good governance and good data hygiene — institutions can get their heads around that idea,” said Julia Funaki, Associate Director of International Education Services at the American Association of Collegiate Registrars and Admissions Officers. Data Privacy and security is now an important issue for Universities and colleges. The GDPR applies to most institutions of higher education and will impact the schools you attended and your family plans to attend.


Please read Part 2 of this article here.