IT Forum Perspectives

Not yet GDPR compliant? Your school is not alone

Survey shows GDPR non-compliance is the norm in higher ed

by Anna Krenkel

If you feel like your campus is behind in efforts to become General Data Protection Regulation (GDPR) compliant, you’re in good company—a recent survey by the IT Forum found that not a single respondent would categorize their institution as GDPR compliant and more than half had not yet taken any steps towards GDPR compliance.

"What progress has been made on your campus towards GDPR compliance?"

GDPR Compliance Data

Institutions that selected the category "Other" indicated that they are aware of GDPR, but don’t have specific resources dedicated to becoming compliant—they fall between the two categories.

Limited resources to support GDPR compliance on campus

Unsurprisingly, the survey results show the level of staffing and funding resources dedicated to GDPR compliance at most institutions is low. Sixty-two percent of the survey respondents dedicate no funding to GDPR compliance, while the median funding from institutions that do dedicate resources to GDPR compliance is $10,000.

For institutions that have dedicated staffing resources to GDPR compliance, what is the composition of those efforts?*

GDPR Compliance Data

Similarly, 63% of respondents do not dedicate any staff to pursuing GDPR compliance, either within the central IT organization or beyond. Perhaps this stems from ownership for the compliance process–all respondents with dedicated staff also indicated that responsibility for guiding GDPR compliance falls to a central unit. Only one of the respondents who hired external support for GDPR compliance has done so without any internal staff either from central IT or other departments, which correlated to greater than average spending on GDPR compliance.

Data discovery is a looming challenge for GDPR late-comers

Survey respondents who have dedicated resources to GDPR compliance give an indication of challenges to come. Data discover was linked to the greatest gap in expectations of difficulty between institutions that have dedicated resources to GDPR and those who have not.

What aspects of GDPR are you finding (or did you find) most challenging?

GDPR Compliance Data

For those already making headway with compliance, other unexpected hurdles include difficulty creating documentation to justify the collection, processing, and storage of personal data, and securing resources to address compliance gaps. Institutions who have not dedicated resources to GDPR compliance demonstrate greater concern about earlier parts of the compliance process, such as educating campus and understanding the impacts of GDPR but they may later encounter these same unexpected obstacles related to personal data.

For additional information about GDPR compliance in higher education, explore our previous IT Forum blog post, which provides an overview of the regulation, identifies priority areas on campus most likely to require new processes and outlines next steps for managing data towards compliance.

CIO and IT Leadership Special Session: June 5 in Washington, D.C.

Join your peers from around the country for a full day of presentations from EAB's research experts, case study presentations, interactive group discussions, and a facilitated working session. There is no cost for registration.

Learn More and Register


  • Manage Your Events
  • Saved webpages and searches
  • Manage your subscriptions
  • Update personal information
  • Invite a colleague