Many North American colleges and universities have paid relatively little attention to the new General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.
However, chances are your campus—and specifically your enrollment department—handles information that is subject to this new European Union (EU) regulation and most colleges and universities will find that their current data collection practices are not in compliance with the new law. It’s critical that your school is compliant: GDPR violations carry the potential penalty of 4% of revenue or 24 million dollars.
What is the General Data Protection Regulation?
GDPR is an EU law passed to ensure standardized guidelines for the collection and use of all personal data collected from EU residents. In essence, GDPR increases individuals’ ownership over personal information and puts the burden on organizations collecting personal data to justify and document everything they collect. It applies to any business or organization (including colleges and universities) that processes EU residents’ personal data—and not just those organizations located physically in the EU.
Your school should be able to, when requested, provide any EU student a full list of all the data collected and retained by your institution. Could you do this today? Many colleges and universities will answer no. In most cases, GDPR will require an overhaul to your current data collection procedures, not just minor adjustments.
6 ways GDPR will impact recruitment, admissions, and enrollment
GDPR does not just affect data collection moving forward—it also applies to all data you currently have. Below are six common activities that may be violating GDPR without you even realizing it.
- Prospective student data collected at college fairs at home and abroad are subject to regulation.
This is considered international data transport and the way you collect, store, and use this data falls under GDPR guidelines. Even if you collect the data in a non-EU country, all EU residents’ data still fall under GDPR.
- Automatic enrollment of prospective students in marketing communications is problematic.
Many institutions use an opt-out (instead of opt-in) marketing strategy. GDPR no longer allows this—you must get explicit consent from those individuals covered by the regulation before using their data for any activity outside the scope of the original purpose. Permission by default is no longer acceptable.
- Data kept on applicants for statistical or institutional research purposes may require new treatment.
You are no longer allowed to indefinitely hold EU residents’ information, which can impact your ability to analyze applicant, student, and graduate data over time. There are provisions in GDPR to maintain various types of data that are no longer personally identifying, but exact procedures need to be reviewed with the help of on-campus experts in legal and IT.
- Maintaining alumni data for marketing purposes requires new consent.
While you don’t necessarily have to wipe your alumni database of EU residents, you do need to know whether or not your existing databases of alumni information meet the new standards. Under GDPR guidelines, marketing communications are not allowed unless you gather explicit consent for each instance of outreach, so if your alumni haven’t agreed to receive these messages, you cannot send them.
- EU students enrolled in distance learning programs (even if the courses are free) are subject to GDPR.
Under previous EU law, distance learners in EU countries were not protected if they were studying at U.S. institutions, but GDPR applies even to institutions that do not have any infrastructure within the EU. This change has flown under the radar for many U.S. schools, and is an important update to EU data protection policy.
- Not knowing what data the department retains about EU residents must be rectified.
GDPR covers not just the basics, like admissions files or student data, but any and all data (think post-visit surveys, paper registration forms for events, etc.) held on EU residents. GDPR aims to ensure unchecked data collection ends and that individuals can ask for on-demand summaries of all data held on themselves.
GDPR is a top concern for other departments. View impacts for IT teams.
What to do now to work toward GDPR compliance
Industry legal experts all agree on a few key first steps. As soon as possible schools should:
- Immediately join the conversation.
Identify the primary institutional contact for GDPR compliance (often a colleague in IT or the general counsel office) and secure a seat on any campus-wide GDPR committees or task forces.
- Perform an initial data audit.
Identify what data you collect and where it’s stored, who has access to it, what you do with it, and your data removal procedures. Starting now will limit your liability and prepare you to tackle further GDPR changes your team will face in coming months. Keep in mind that “data” means everything, including one-off surveys, scholarship eligibility information, website visit data, photographs, and more.
- Run a data breach drill.
Though your college or university will need to develop a comprehensive security strategy, within your enrollment team, we recommend running data breach drills: Could you identify all vulnerable EU residents and efficiently notify them within 72 hours? Do you have a communications strategy? This will identify areas of non-compliance within your current procedures and give a sense of what would be needed if EU regulators contacted you to test your compliance.
There will be many more changes to come, but these three actions will set you on the path toward compliance. This can also serve as an opportunity to understand the extent of the data your team holds and to reconsider what data is and is not necessary to collect—think of this as your information spring cleaning.
It will take years to fully see how GDPR will be both interpreted and enforced by the EU, but given the increase in national conversations surrounding data privacy and security, we strongly recommend pursuing good-faith measures to meet the rigorous standards of GDPR. You will want to discuss your school’s interpretation of this regulation with your legal team and apply their recommendations to your enrollment department as soon as you can.