GDPR – FAQ
Last Revised: November 11, 2018
What is GDPR?
The General Data Protection Regulation (GDPR) is a sweeping data privacy legislation that was passed by the European Union in 2016 and went into effect on May 25th, 2018. It protects the data of all EU Citizens, regardless of where they are currently located. It has regulatory reach across borders to anywhere an EU Citizen may be generating a digital footprint. In brief, GDPR promotes one consistent concept – that Data Privacy is a Human Right, not a Consumer Right.
Who does GDPR affect?
Almost every company in the world. Most universities (considered ‘data controllers’) in the United States will be subject to some GDPR oversight. Adhering to the strictest interpretations of the law, answering yes to any of these questions will confirm that you are under the consideration of GDPR in some capacity:
- Does your institution have EU students or applicants?
- Are your employees from EU countries?
- Do you market to EU students?
- Do you have students studying abroad in EU countries?
- Are your donors from the EU?
- Do you have research grants from the EU?
While there are potential applications of this law to nearly every institution in the United States, that’s not to say that all institutions have the same risk of non-compliance. In fact, some major software providers have publicly stated “To be considered ‘offering services’ requires some degree of targeting [targeted marketing]. The mere fact that EU students are enrolled is not sufficient.” That interpretation may be valid, but has not been confirmed by any governing bodies, and the Higher Ed community has not reached a consensus.
In addition to universities, all vendors who handle personal data on behalf of the university are considered ‘data processors’ and are also subject to the regulations.
How do institutions achieve compliance?
While this is a broad question, three areas deserve focus:
People and culture
GDPR compliance is as much a change of culture as it is a change of policy. It begins with taking data privacy seriously as an institution, and getting organized around data privacy and security. From the top down, universities (as well as most companies in the world) will need to create a culture of responsible and ethical data management, including significant documentation and accountability.
While there will certainly be many contributors to GDPR compliance, the regulation specifically calls for a new role of a Data Protection Officer who should be primarily accountable for compliance at the institution. At universities, I expect this role will be adopted by CISOs, Legal Counsels, IT Professionals, and Chief Privacy Officers (when available).
Process and policies
GDPR specifically calls out several key concepts that universities must apply to data collected from EU citizens. We have selected five of the most relevant Articles to highlight how they could affect university processes and policies.
Processing of personal information – To be legally allowed to process an EU citizen’s personal data, universities will be required to meet certain requirements of consent or purpose. Under GDPR, what constitutes ‘personal information’ is very broad – almost all data related to a student will fall under this category – so this potentially has large ramifications for the school. However, since these requirements are ambiguous, I’ll discuss them in more detail in our next post.
Transparency – Individuals should be provided notice of what information is being processed, and this should be expressed in a clear manner. The most obvious interpretation is that privacy policies must exist, and they must be comprehensible for students.
The right to be forgotten – For data that is not critical to the university’s operations, EU citizens should be allowed to request that their data be deleted. Like other Articles, there are conditions, and students should not expect that their grades should be deleted upon request.
Privacy by design – Another core concept of GDPR, the regulation states that personal privacy should be considered in the design of all systems and processes.
Sensitive and personal data – GDPR broadens the definition of personal data in the U.S. to any data that can be used to identify a person. Specifically, data points like Student IDs and IP addresses become personal data. It also defines sensitive data, which among other things includes any health, religious, and racial data the university might possess. The implications here are that some systems that would have been out of scope (such as a website that doesn’t have any forms or logins) must still be managed under GDPR, and sensitive data must be managed carefully.
Data management and security
Finally, another critical component of GDPR is the management and security of personal and sensitive data. While concepts like safe harbor already exist in the EU, this legislation introduces more stringent rules regarding the management and storage of data. Most notably, data processors and controllers are both required to store no more data than necessary, for no longer than necessary, according to a principle called ‘data minimization’.
The legislation also lays out some guidelines for data security, although more specific policies are required for programs like the EU-US Privacy Shield. The most well-defined security policy is around data breaches, which require that people are notified within 72 hours of an incident.
While data security is already an important issue for universities, this legislation certainly adds an incentive for universities to be diligent stewards of data.
How does Degree Analytics comply with GDPR?
Even when working with institutions located in the United States, Degree Analytics still has responsibilities as a “data processor” under GDPR regulation. While the liability of the data processor (Degree Analytics) and the data controller (the institution) is mostly limited to EU citizens’ data, Degree Analytics has adopted GDPR data privacy and protection standards to simplify the management of all institutional data.
Degree Analytics assigned an internal task force and consulted third party experts to ensure our systems and processes were prepared for GDPR by its effective date of May 25, 2018. As data processors, the impacts on our Master Services Agreements and product user interfaces were minimal. To provide more transparency into the effects of GDPR on our clients, the following section details the impact of specific articles on our clients as data controllers, and our responsibilities as a data processor:
Article 6 – Lawfulness of Processing
- Law: Universities must establish “legitimate interest”, a binding contract, or “consent” from a user
- Degree Analytics: When our analytics are used for intervention purposes, we recommend capturing consent to safely comply with GDPR
Article 12 and 13 – Transparency and Information to be Provided
- Law: Universities should enhance disclosures and privacy policies to data subjects
- Degree Analytics: We provide our expertise, guidance and language that can be included in University disclosures to comply with the law
Article 15 and 17 – Right of Access and Erasure
- Law: Controllers must allow students to gain access to their data and erase data (with several exceptions)
- Degree Analytics: Our team has built features to allow the expedited delivery or erasure of data upon request
Article 25 – Privacy by Design
- Law: Data processing tools and systems must be built with “privacy by design” as a fundamental concept
- Degree Analytics: Has built its platforms from the ground up with strong consideration to “privacy by design”; Our platform never discloses any information that is unnecessary to student success (e.g., an individual students’ location at any given point in time)
Article 32-38 – Security Considerations
- Law: Processes, roles and standards must be created around securing personal data
- Degree Analytics: In order to meet the expectations of our clients, Degree Analytics has invested considerable resources in data security, even prior to GDPR, meeting all security standards. With respect to GDPR, we go even further to comply with the law
What happens if there is a data breach?
If Degree Analytics knows of a systems security breach by an unauthorized party or that any user data was used for an unauthorized purpose, we will notify our customer agency/institution of any breach resulting in unauthorized release of data electronically, at minimum, and without unreasonable delay so that our clients are aware and prepared to take appropriate steps.
Degree Analytics 2505 E 6th St Unit B Austin, TX 78702