10+ ways for higher education institutions to prepare for GDPR compliance
It was announced on the 25th of January 2012, adopted the 27th of April 2016 and will be set in motion on the 25th of May 2018. It replaces the 28 data protection laws currently in place across Europe, with one single, robust regulation piece which should make cross-border activities within the EU easier, and offer universal protection to natural persons.
The GDPR, also known as the new General Data Protection Regulation, is keeping everybody on their toes because of the complexity of this move from the European Union. Effectively, the regulation gives natural persons ownership over all data that can be traced back to them, and it also obliges organisations that hold that data to get informed consent, protect the data, let the subjects exercise their rights under the GDPR and much more.
Especially in the current context of internationalisation, higher education institutions should prepare to understand what GDPR entails for them and to act on being compliant before the 25th of May 2018. From an internal perspective, universities need to set better data protection systems into place. At the same time, higher education staff need to build or further apply a “privacy-by-design” culture, with an emphasis on GDPR awareness.
On the 27th of March 2018, Studyportals hosted a webinar aimed at higher education officials on the subject of GDPR compliance, especially in the context of student recruitment. During the one-hour presentation, we were able to dive deeper into data protection and compliance, while already marking the most important steps on how universities can prepare for this shift in laws.
Below, you can read 10+ ways in which your institution can get ready to tackle the GDPR data law and be compliant with the new privacy protection laws coming from the EU.
1. Understand how your university is involved with GDPR
One of the most common questions around GDPR is who is affected by these new regulations. “Does it apply to my university” was also one of the main concerns during our webinar. If your institution checks one or more options from the list below, you will need to comply with the new GDPR law:
- You are an institution within the European Union or are active within the European Union;
- Your employees (professors, administrative and support staff etc.) come from EU countries and/or have EU citizenship;
- Your institution received research grants from EU countries;
- You got donations from alumni who are citizens of EU countries;
- You host students from EU countries;
- You have students studying abroad in EU countries under certain circumstances;
- You have data on prospective students interested in your university (e.g. tracking of website visitors or leads that filled in contact forms).
In conclusion, it is highly unlikely that GDPR will not apply to you.
2. Learn about why GDPR is happening in the first place
The intention behind GDPR is, in the end, to strengthen and harmonise EU data protection. Recent cases such as the one involving Cambridge Analytica act as a cautionary tale for enforcing better data protection laws. As Nick Taylor, managing director of strategy for the UK and Ireland at Accenture, said: “It is important that companies do not regard this new regulation as a burden, but as an opportunity to become more aware of what data they have and a chance to build trust with customers and employees. Businesses that use the new ruling as a catalyst to overhaul customer experiences and deliver transparency to consumers will quickly find themselves in a leadership position.” The same logic applies to higher education institutions, who can now offer better and more secure data protection to their students, staff and other involved stakeholders. As mentioned in our webinar:
The goal of GDPR is to curb “bad actors” who could take advantage of loose laws around data and use this data.
Additionally, GDPR can actually help organisations make optimisation steps. For example, imagine a number of your teams, say from different faculties, used similar third-party tools for the same kind of activities, without knowing it. Consolidating these tools (e.g. using the same tools as much as possible) is not just a step forward within the context of GDPR, but also a way to consolidate your processes and save costs. There is no sense in reinventing the wheel.
3. Know your role in handling data
The two most common roles that universities can play regarding data are data controller or a data processor. A data controller determines the purposes for which and the manner in which any personal data are, or are to be, processed. On the other side, a data processor acts on the behalf of the data controller and processes data accordingly. Between the two roles, the data controller bears the main responsibility and liability for compliance. In the context of student recruitment, higher education institutions fall into the first category, acting as data controllers. That position magnifies the responsibility that your institution must take on regarding data protection.
Please note that whichever role you have, controller or processor, it’s highly dependent on the activity or type of data subject in question. Even an organisation that is a processor for its clients (e.g. a cloud storage provider or a payroll service company), is a controller of its employee data. You may be a controller in one area and a processor in another. To determine your role, you’ll need to ask yourself where you are operating on your own behalf and where you are operating on someone else’s behalf.
4. Get to know what kind of data your institution is handling
There are 3 very important types of personal data that your institution should pay extra careful attention to: sensitive, anonymous and pseudonymous personal data.
Sensitive personal data refers to any type of data that could be used to identify someone. This is also referred to as ‘special categories’ of data. The special categories specifically include genetic data, and biometric data that can be processed to uniquely identify an individual, also including health information, racial or ethnic information, or sexual life and orientation. The rules on sensitive personal data are strict and if you don’t need this type of data, we wouldn’t recommend gathering, storing or using it.
The second type of data is anonymous personal data, meaning information from which a data subject cannot be reasonably identified. This data type is not subjected to GDPR, but you should still be careful when processing such data. Even without identifiers, a piece of data can be used to trace back the identity of the data subject (with enough personal data available).
The last category of data is called pseudonymous data. This category refers to identifying information (e.g. name, contact details, email address) which has been modified in a way that makes identification harder – data have been turned into pseudonyms that can be retrieved with a specific key. Examples range from something as simple as using a student number instead of a name to various data encryption techniques. While pseudonymous data still falls under GDPR, since it can be traced back to a person given you have the key, it is a valuable method of protecting personal data, explicitly encouraged under GDPR. We heartily recommend utilising pseudonymisation wherever you can.
5. Understand what rights data subjects have under GDPR
The new data protection regulations are intended to give back the data ownership to the data subject. Because of these changes, the data subject will be entitled to certain rights such as: accessing their personal data, editing their personal data, moving their personal data between organisations, the right to be forgotten upon request, restricting or objecting to their data being used (e.g. for direct marketing), or the right to transparency and refusal of automated decision making.
It is very important for your university to acknowledge what rights data subjects have because this will affect the way your institution will interact with the available data. Data subjects must also be made aware of their rights at the moment their data is collected (e.g. as part of a privacy statement).
6. Check what kind of legal base for data your institution uses
Your institution should have a legal basis for each type of activity using personal data. Types of valid legal basis include:
- Data subject consent;
- A necessity for agreement with data subject;
- Compliance with legal obligations of the organisation;
- Legitimate interest.
Choosing the type of legal basis is highly dependent on your context. For example, consent from employees is often not sufficient, because there is a power imbalance between employers and employees, meaning that consent might actually not be freely given. That being said, in many activities involving student recruitment, consent from prospective students will likely suffice. Consent has certain requirements under GDPR, such as it being:
- Unambiguous: Have a clear affirmative action (e.g. clicking an opt-in checkbox on a form);
- Freely given: The data subject must have the freedom of choice to opt-in or not;
- Specific: Consent is given for specific processing activities;
- Informed: The data subject understands what processing they are agreeing to;
- Withdrawable: At any point, the data subject can withdraw their consent;
- Explicit: This especially applies to sensitive data, profiling or cross-border transfers.
7. If your university falls under the category of data controller, then get to know your obligations
As a data controller, your university has a clear set of obligations that it needs to respect. Especially after the 25th of May 2018, your institution will need to take appropriate measures for GDPR compliance and demonstrate this via documentation. After collecting the data, you are obliged to allow data subjects to exercise their rights within a time period of 30 days. You need to have data processing agreements written with your data processors and make records of all processing activities, especially for the high-risk ones. Cooperation with supervisory authorities is also key to creating a healthy environment regarding data protection.
8. Make sure you appoint a data protection officer
The best person that can help you keep a close eye on your data protection efforts is a data protection officer or DPO. This person would be responsible for overseeing your institution’s data protection strategy and ensuring compliance with GDPR requirements. Many organisations are required to have a DPO and register them with the data protection authorities. You are obliged to have a registered DPO if you fall in one of the following categories:
- Public authority;
- Larger than an SME;
- Core activities involve large-scale, regular and systematic monitoring;
- Core activities involve sensitive personal data.
Organisations can also voluntarily appoint a formal and registered DPO, which is an important demonstration of a GDPR compliance culture. Both mandatory and voluntary DPOs have the same requirements: expert knowledge of data protection law and practice and no duties with conflicting interest. You can appoint someone in your current organisation that meets these requirements, hire someone new, outsource it, or even share a DPO with other organisations, provided the DPO is easily accessible by everyone.
Even if you are not required to have a DPO, and choose not to have a voluntary or formal one, there are still benefits to having an informal GDPR expert internally. Even an informal DPO can help you become and stay compliant by centralising the knowledge and responsibilities under GDPR and providing guidance and constant supervision of your GDPR compliance.
9. Prepare for the worst case scenario the best you can
With all the news going around about data breaches, this would be the worst case scenario for any institution or organisation that is dealing with data. Make sure you have procedures set in place to detect, report and investigate potential cases of data breach. Be mindful of the fact that if a data breach occurs, the data protection authorities need to be informed within 72 hours of you becoming aware of the breach, unless you can prove that the breach is not likely to harm data subjects in any way.
10. Get legal advice and input regarding your data protection framework
Being able to advise on GDPR, or on any EU piece of legislation for that matter, can prove itself to be very complex. That is why, at the end of the day, the most important recommendation that we can give higher education institutions is to seek out legal advice and support for their unique context. Bringing experienced privacy professionals on board will make the biggest difference in your change management process regarding GDPR.
Other points of change that we advise you to take on are:
11. Train your staff regarding GDPR and its implications;
12. Start a data audit in your institution;
13. Fix your priorities for your change process regarding data privacy;
14. Update all your existing documents accordingly;
15. Consolidate your data processing activities;
16. Draft new internal policies that are supportive of the new data protection regulations;
17. Focus on fostering an internal culture around GDPR.
At the end of our webinar, we asked the participants about how prepared they felt regarding GDPR implementation and compliance. The answer with the highest count was that higher education professionals felt somewhat prepared for the upcoming privacy law changes. In the end, no one is 100% ready for what will come, because no one knows exactly what will happen after the 25th of May 2018. The best way to proceed is to understand what GDPR stands for, what processes your institution needs to change and to get legal help for your activities.
Get the slides from the GDPR and Student Recruitment webinar.
For more updates, follow us!