Home Trending GDPR | Higher Education

GDPR | Higher Education


Co-Authored by: Jaye Wilson

It has been nearly three months since the General Data Protection Regulation (GDPR) has gone into effect, its impact has been varied among corporations, small businesses, higher education and other organizations.  Larger organizations have spent a significant amount of resources, effort and money in order to comply with the regulations  prior to the enforcement date, while others have taken the approach that they are too small and are not worried about their organization being targeted or the regulation being enforced against them.  One sector that GDPR could affect across the entire United States is higher education. 

How Will GDPR Affect Higher Education?

GDPR defines three basic roles in data transactions: the data subject (person the data is related to); the data controller (dictates what is done with the data); and the data processor.  A higher education institution (institution) in all likelihood are controllers as it relates to its human resources and student data.  It also could be a data processor, for instance, if it has a partnership through its study-abroad program.  GDPR also places an emphasis on understanding and documenting what third-party data vendors have access to and what they are doing with it.

GDPR also explains rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing.  For instance, data subjects have a right not to be subject to a decision based solely on automated processing.

Institutions typically have three different categories of data most likely to be impacted by GDPR.  The first bucket consists of students who are EU citizens coming to an institution in the United States or attending the institution’s locations abroad.  Any data you collect on those students, from name to disability status or grades, will be considered personal data.

Another bucket is human resources data. People who work at U.S. universities may be EU citizens, or if an institution has operations abroad, it is likely to have a number of EU employees.

The third major bucket involves admissions and recruiting.  Under GDPR, if a student doesn’t apply to your institution but has some interaction with your website, or has admissions interaction with you, then that data will also be impacted.  It won’t be as robust or sensitive as the data you have on your actual students, but a potential student is going to provide you some personal data that is going to have to be protected. GDPR is about making sure institutions are doing what is needed to protect the privacy of data and validating that the controls they have implemented are effective through documentation and governance.

The new rules require institutions to take extra steps to protect the personal information of people in the EU, regardless of whether they are EU citizens or permanent residents. So the requirements would also apply to American students or faculty members who communicate with campuses while they are in the EU.

Institutions that have campuses abroad or have faculty traveling abroad and using their work email will now be subject to the GDPR regulations.  Institutions that are online-only will now need to start protecting their personal data specific to EU citizens, since anyone is able to enroll at these online schools.  Enrollment management will now be required to collect only the information it needs to enroll students at its institutions and only retain the data it as necessary.  It is going to be difficult for higher education institutions to determine when they should start purging data and how they will conform to the “right to be forgotten” for alumni, students, faculty or possibly recruits who want their information to be purged from the institution’s systems.   GDPR is going to make business as usual for higher education a little bit more complex. 

What Are the First Steps to Take? 

Now that higher education needs to start thinking about becoming compliant with GDPR, what are the first steps to be taken to help reach that goal?

Unfortunately, these are not the only things that need to be completed to become compliant, but completing these would be a great start for any higher education institution or any organization to become compliant with GDPR. 

If you have any questions related to your organization’s compliance with GDPR, please contact Eric Wright at 412-697-5328 or ewright@schneiderdowns.com.




Please enter your comment!
Please enter your name here