The EU General Data Protection Regulation Has Arrived. Is Your Campus Ready?

The European Union (EU) General Data Protection Regulation (GDPR), passed in April 2016, reached its implementation date on May 25. The rule has a number of implications for college and university administrators across a variety of offices.

Generally, the main goals of GDPR are to offer greater rights to EU-located “data subjects” (the regulation’s term for an individual whose personal data is being collected) and to put additional regulations on organizations that collect and process the personal data of those data subjects. Some of the most notable changes for individuals include the right to:

• Access any data an organization has collected about them.
• Know how long an organization will store their personal data.
• In some cases, require an organization to permanently delete their personal data.

Among the additional requirements for organizations, the most notable for higher education require that colleges and universities:

• Have a breach notification plan and notify authorities within 72 hours of learning of a breach.
• Protect any personal data that they collect and use.
• Conduct an assessment to determine any risks and privacy impacts related to collecting and processing the personal information of data subjects, implement a plan to mitigate those risks and impacts, and continuously monitor both the risks and the mitigation plan for change.

Because GDPR aims many of its requirements at organizations that possess information about EU-located individuals, analysis of the new regulation is more straightforward for corporate entities targeting customers than it is for colleges and universities that have websites that may be accessible in EU regions but that are not designed to specifically collect information from EU-based individuals.

However, some activities undertaken by a higher education institution, such as EU-based study abroad programs, talent recruitment of EU-located individuals, and donation solicitation of EU-based individuals likely will trigger GDPR compliance concerns. Conversely, activities such as offering general recruitment materials on a university homepage, interactions with international faculty and students while they are physically located in the U.S., and blanket communications of general institutional information likely would not trigger GDPR concerns.

Ultimately, the new level of regulatory burden from GDPR will vary for each college and university, and its full impact will likely take months or years to understand. NACUBO recommends that campus leaders convene stakeholders across their institution to best develop a GDPR risk assessment plan and take steps to both mitigate risk and ensure institutional compliance.