What GDPR Means for U.S. Higher Education
With the European Union's General Data Protection Regulation looming, colleges and universities in the United States are working out how to achieve compliance.
On May 25, the European Union's General Data Protection Regulation (GDPR) goes into effect. Like their counterparts in the business world, U.S. colleges and universities are scrambling to figure out how the rules apply to their overseas programs as well as the data they collect on students and employees who are E.U. citizens.
Perhaps the headline on a May 15 opinion piece in The New York Times epitomizes attitudes on U.S. campuses: "Europe's Data Protection Law Is a Big, Confusing Mess." The author, Alison Cool, a professor of anthropology and information science at the University of Colorado Boulder, calls the law "staggeringly complex," "intentionally ambiguous" and "based on already outdated assumptions about technology." (Of course, the only thing regulated organizations hate more than a regulation that is too ambiguous is one that is too specific.)
The GDPR defines three basic roles in data transactions: the data subject (the person the data is related to); the data controller (which dictates what is done with the data); and the data processor (which is processing that data). A university could be a controller as it relates to its human resources or student data. It also could be a data processor — for instance, if it has a partnership with another school in its study abroad program. GDPR also places an emphasis on understanding and documenting what third-party data vendors have access to and what they are doing with it.
The GDPR also defines many rights for data subjects, including the right of access to data, the right to erasure (right to be forgotten), and rights to restrictions on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing.
"In Europe, privacy is a fundamental right. In the U.S. today we do not have a fundamental right to privacy, so there is a completely different framework that the E.U. is using to approach this issue," said Jordan Fischer, managing partner of XPAN Law Group in Philadelphia. Her practice focuses on international data privacy, cybersecurity and cross-border data management, with a special emphasis on GDPR. "I think it can sometimes be jarring for U.S.-based institutions to understand that it is a fundamental right and needs to be treated that way."
Universities have three different "buckets" of data most likely to be impacted by GDPR, Fischer explained. The first bucket, she said, involves students who are foreign nationals coming to university in the United States or attending the university's locations abroad. "Any data you collect on those students — from a name to disability status or grades — will be considered personal data."
Another bucket is human resources data. People who work at U.S. universities may be E.U. citizens, or if a university has operations abroad it is likely to have a number of E.U. employees.
The third major bucket involves marketing. "Marketing data tends to be collected without a real eye toward privacy," Fischer said. "With GDPR, if a student doesn't apply to your university but does some interaction with your website, and does have marketing interaction with you, that data will also be impacted," she explained. "It won't be as robust or sensitive as the data you have on your actual students, but a potential student is going to provide you some personal data that is going to have to be protected. The GDPR is about making sure you are doing what you need to be doing and then proving you are doing it via documentation and governance."
Several universities have set up working groups to steer campus efforts on GDPR, but most are in the early stages of identifying impacted systems and processes, and that fact seems to make them reluctant to speak about it. Campus Technology reached out to five universities that have GDPR working groups. Two did not respond to requests and the other three declined to be interviewed about their efforts.
The web page for a working group at George Washington University in Washington, D.C., notes that the university must specifically be able to point to consent or to a stated business purposes as the reason for processing data. The GDPR consent requirements are very specific and limit the use of personal data for uses other than those specifically stated in the consent document.
A working group at the University of Michigan states on its web page that it is tasked with identifying relevant GDPR requirements and prioritizing key compliance components and activities. Examples include:
- Identify relevant data flows and develop a GDPR data registry;
- Determine processing purposes and legal ground for processing;
- Implement privacy statements and key compliance activities for impacted processes;
- Identify other processes affected by GDPR and develop or update relevant documentation and processes;
- Develop a website and toolkit to disseminate information and facilitate compliance;
- Strive to identify potential GDPR compliance technical needs and/or solutions; and
- Draft recommendations for a sustainable ongoing GDPR compliance program.
After surveying 60 people in units that store or process data likely to be affected by the GDPR, the U-M GDPR project team has begun work on a master privacy statement template for the university that will account for GDPR compliance and reflect privacy statement best practices.
It's not clear yet how the European Union could enforce the GDPR's regulations on U.S. institutions. But Fischer said that if U.S. universities have partnerships with any E.U. institutions, those E.U.-based entities are certainly going to want to ensure that the data is being protected in a way that is compliant. Many U.S.-based universities have strong relationships with E.U. institutions, so losing those connections is a risk if they aren't compliant, she said.
Despite a few examples of proactive engagement, most universities haven't grappled with GDPR yet. "We are a little bit slow in the U.S. to pick up on what is going on in Europe, and I think it is difficult for universities to determine who should be leading this initiative," Fischer said. "It is kind of like compliance, kind of like privacy, kind of like legal, kind of like technology. So because it is not quite clear who should be taking ownership of the initiative, GDPR gets put on the back burner."