The GDPR, the General Data Protection Regulation, goes into effect on the 25th of May 2018. Most Institutions of higher education will need to comply with the regulation. It is not a suggestion but a regulation that governs data for over 512 million people – all citizens and residents from 28 European Union Countries. The GDPR has penalties and fines for non-compliance, which no University can afford to ignore.
If a university or college based in the U.S. has a campus in or conducts study abroad programs in Europe, they are required to comply. If the university or college supplies distance learning to students in any of the 28 EU countries or has alumni or professors in Europe, they must comply. This will cover 95% of higher education institutions.
So where should an institution of higher education start? By understanding what data they might have and how that data is being held.
5 Steps to help make sure your institution can meet the new deadline:
1. Conduct a risk assessment — Review what the institution’s data protection plan is and discover what areas need work to appropriately protect and secure student, employee, alumni, and donor data. Many institutions are holding data that is not used within that institution. If the data isn’t needed, then don’t collect and hold it.
2. Create a data protection plan that complies with the new regulations. Institutions can do this internally or hire external experts to help craft and interpret the regulations for their unique needs.
3. Hire or assign a DPO (data protection officer) as needed by the GDPR guidelines. This is not necessarily a full-time position and can be assigned to someone already on staff or an outside consultant can be hired to meet the requirement.
4. Implement measures to mitigate risk to data as well as those required by the GDPR regarding customer consent and access to their own data. Work with marketing and other departments to understand data collection and usage as well as what tools are in place for removing data and how consent is acquired.
5. Test your incident response plan. An incident response plan is a living document that needs to evolve with an organization. Just like a physical emergency plan, a virtual emergency plan is critical for all key stakeholders to know what to do, and how to do it within a short amount of time. Time matters for all emergencies. Under the GDPR, a delayed response can end up costing colleges and universities significantly.
Due to the nature of Institutions of Higher Education, almost all will need to demonstrate compliance to the GDPR on May 25th. In many ways higher education are the very places that should show leadership in this area. They understand the value of data and the historical implications of data being handled well and being mishandled. We are living in a new world where data and privacy are important topics not just for business but also for classrooms and meetings within colleges and universities.
Whether an institution has been preparing and needs some help making the deadline or hasn’t even started yet, working with a cybersecurity and compliance company will give expert advice on how to meet the upcoming deadlines.
GDPR compliance is a standard of data protection that all should uphold – even colleges and universities. Be compliant and use the regulation to help safeguard personal data. It’s a serious issue that now has teeth and a timeline. Is the world of higher education listening? GDPR applies to you.