Educational institutions collect vast amounts of personal data from students and staff. Generally, this data falls in the category of regular personal data, such as names, email addresses, and physical addresses. On the other hand, sensitive personal data, such as health information, financial information, legal guardianship contact details, disciplinary records, are also often required. Given the huge quantity and high sensitivity of personal data collected, compliance with the GDPR will have to be a very conscious investment for higher educational institutions, both in terms of time, resources, and tooling. Below is everything you need to know about how the GDPR affects higher education institutions specifically, and how these organisations can start off towards compliance.
What is the GDPR in brief?
In order to understand how the GDPR may apply to your organisation, let's first briefly recap on what the regulation is, and who is subject to it.
The GDPR is the European Data Protection law effective in all EU and EEA countries. It imposes a single framework of data protection rules on the processing of personal data with two main goals: to protect the fundamental rights of data subjects and to create a level playing field for the processing of personal data in order to further the internal market.
Who is subject to the GDPR?
In short, all organisations that process personal data regarding data subjects residing in the EU are subject to the GDPR. This includes profit and non-profit organisations, and also organisations established outside the EU and providing their goods and services in the EU, or monitoring individuals within the EU. It’s pertinent to note that data subjects need not be citizens or have a permanent residence status in the EU in order to be protected under the GDPR; presence within the EU at the time of the processing activity guarantees data protection.
Does the GDPR apply to YOUR higher education institution?
As the GDPR applies to organisations in all sectors, it’s very likely that your higher educational institution is also subject to the regulation.
The GDPR applies to your higher educational institution if it:
• Has students and staff that are citizens of EU/EEA countries
• Has students enrolled in exchange programs to EU/EEA countries
• Receives tuition payments from EU/EEA countries
• Offers certain grants or loans to and from EU/EEA based institutions and individuals
• Has affiliations with former students from and who are residing in EU/EEA countries
Additionally, as higher education institutions are classified as public authorities, the public task basis is very likely to apply to a higher educational institution’s processings. For example, your institution could rely on the public task basis for processing personal data for teaching and research purposes.
Why does the GDPR have a profound effect especially on educational institutions?
Most higher educational institutions hold an immense amount of sensitive personal data from students and staff alike. For this reason, it’s become crucial to ensure appropriate protection of that data. However, it can get even more complicated when third-parties are involved. For instance, when outsourcing the collection of tuition fees or student insurances. Additionally, there is an exceptionally large amount of usual activities that are specific to the industry, that involve the processing of personal data. To name a few, activities such as handling university applications, communicating with former students, direct marketing to potential/existing students, partnering with other educational institutions, and handling scholarship applications all require the processing of certain personal data.
Additionally, while the financial consequences of being deemed non-compliant by respective data protection authorities can be major, a potential loss of reputation due to non-compliance can come down very hardly on higher education institutions especially. A recent study conducted in the UK revealed that 16% of the half-million students surveyed stated that a prestigious brand of university is the number one aspect when choosing where to study. With that in mind, there have been several cases where universities fall victim to data breaches or cyberattacks to suggest that having the appropriate data protection measures in place are crucial.
GDPR exemptions for higher education institutions to take into account
The GDPR states that an exemption might be applicable to your institutions in regard to the rights of access, rectification, and restriction (Articles 15-18 GDPR), if the use of personal data is limited to the purpose of scientific or statistical research. The Dutch GDPR Implementation Act states that processing special category data for historical or statistical research in public interest, could be an exemption also. However, this exemption is only applicable when consent is deemed difficult or impossible to obtain, and appropriate safeguards must still be implemented. Meanwhile, under the UK’s DPA 2018, there are general exemptions for several obligations in the GDPR in regard to academia, art, literature, and research, which could be found applicable to your organisation.
What are the first steps to get started with GDPR compliance?
Your institution will first need to understand the data that you hold; It's imperative to know why it has been collected, how it’s been processed, who has access to it, and when it should be removed. The GDPR also states that the documentation of this process is mandatory, as per the accountability principle. In order to start fulfilling the obligations of the GDPR, an inventory of sources and a data map will come in handy.
It might not seem necessary at first, but in our experience, many organisations find difficulty in plotting their organisation structure. Still, this is crucial in terms of both inventorying processing activities and getting your governance in place. Moreover, by assigning people responsible for compliance in various parts of your organisation, you will be able to roll out a governance model!
Below is an overview of the key sources for the inventory:
• Systems in use in the broadest sense, such as your application system, your institution’s network, SaaS services, data analytics, and big data services.
• External stakeholders in the broadest sense, such as tax authorities,employment agencies, chambers of commerce and online agencies. These are stakeholders which you exchange personal data with, and therefore should be taken into account in your inventory.
• Internal stakeholders, such as legal counsels, internal staff or external consultants like administrators, who may help in inventorying data processing activities.
After having an inventory, the next step is to conduct a data mapping exercise. Conducting a data mapping exercise helps organisations understand how personal data is being processed, who is responsible for certain actions, why it’s being processed that way, and gives an overview on one’s data flows. This allows organisations to assess privacy risks and points that would need improvement.
Article 30 of the GDPR requires organisations with 250 or more employees, and organisations for which data processing is an important part of their business, to provide an overview of their processing activities.
However, all organisations are obliged to provide information on processing activities on requests of the supervisory authorities and data subjects. Consequently, your organisation needs a clear overview of its processing activities, even if article 30 does not apply directly to your organisation. Such a clear overview can be reached through a data map.
For the exact steps on how to create a data map, check out this whitepaper.
Appointing a DPO
As even the first steps require a lot of time and resources, it makes sense that higher education institutions are obliged to appoint a Data Protection Officer.
It's obligatory for organisations that execute regular and systematic monitoring of data subjects on a large scale, or that process special data. Data protection officers have an independent position and liaise with data subjects and supervisory authorities and advise their organisation on obligations emanating from the GDPR.
If you are in the process of hiring a DPO, but are not sure what makes a great candidate for this position, check out our blog post on ''How to find the right DPO for your organisation''.
Put the necessary safeguards in place
Make sure that personal data is processed by your organisation in a compliant manner
Your organisation should be aware of all the data being processed. This includes having an adequate understanding of data processing procedures, to provide the information on how, where, and why personal data is being stored and processed. Furthermore, by having this overview, you will be able to identify where changes are needed to be more aligned with the GDPR.
Ensure that data protection strategies are in place
It’s important to ensure that data protection strategies are in place and are frequently evaluated. The established data protection strategy should be communicated to relevant stakeholders, covering what roles they may hold and why. Additionally, this also means that privacy statements should be regularly updated in order to provide concrete information about your data protection efforts to both internal parties such as staff, but also for external parties such as students and other individuals.
Have a comprehensive procedure for Data Subject Access Requests (DSARs) in place
The GDPR provides data subjects, such as students and staff members with several rights, like the right of access. When a data subject exercises this right, your institution is obligated to provide them a copy of what personal data you have on them. Furthermore, an explanation should also be provided that covers:
• The purposes of the processing of the personal data
• The categories of personal data concerned
• Other recipients your institution may share the personal data with
• Details of relevant safeguards in place for when personal data is transferred outside the EU/EEA
• The retention period for storing the personal data
• The right for students/staff to lodge a complaint to supervisory authorities.
It’s also key that your DPO/Privacy Officer is well aware about the procedures you have in place, and are involved in the handling of a DSAR.
This is needed especially when the data of other data subjects are involved in the request. As time plays an important factor when responding to a DSAR, your institution should take into account the number of data subjects you have, and the frequency of DSARs received when setting up appropriate measures, and looking into possible automation of processes.
Understand implications on automated decision making / profiling for applicants
Profiling is a form of automated processing of personal data which could lead to the evaluation of certain personal aspects relating to a data subject. The process analyses or makes a prediction in regard to a data subject’s performance, economic situations, preferences, interests, and even health.
All organisations should be transparent and fair in their use of profiling and automated decision-making. It’s crucial to consider the several rights related to automated decision making in general, and take into account that one can only carry out automated individual decision-making with legal or similarly significant effects if the decision is considered necessary for entrance or performing a contract between the organisation and data subject, authorised by law or a legal requirement (or it’s been based on the data subject’s explicit consent).
For automated individual decision-making with such effects, data subjects also have the right to request human intervention or challenge a decision.
Update your Data Processing Agreements (DPA)
According to the GDPR, data controllers should sign an agreement with any parties that act as data processors on their behalf. This agreement is otherwise known as a Data Processing Agreement. It serves as a legally binding contract that states the rights and obligations of each party that's involved in the protection of your institution’s personal data. Taking the time to regularly update your DPA, is an important part of staying GDPR compliant. As certain procedures in your handling of personal data change over time, or other developments that impact existing agreements occur, it’s crucial that your institution makes the individuals whose data are involved in the processing aware.
Perform Data Protection Impact Assessments (DPIAs)
The EDPB often requires large scale processing to have a Data Protection Impact Assessment (DPIA). The Working Party 29 (now known as the EDPB) recommends that the following factors should be considered when determining whether the processing is carried out on a large scale. Given the large amount of personal data typically processed by higher education institutions, especially in case of sensitive data or of a highly personal nature, performing a DPIA is highly recommended. Take a look at how to perform DPIAs, step-by-step.
Identify lawful basis for direct marketing to current & former students
Typically, educational institutions find it imperative to be able to communicate with both current and former students. Often, this happens through direct marketing, such as emails.
The GDPR defines direct marketing as the processing and collecting of personal data from individuals and sending them personalised communications, not limited to commercialised content. The EU privacy regulation states that in order for an organisation to carry out direct marketing, they should first identify a lawful basis.
The ICO’s recent Draft Direct Marketing Code points out that two lawful basis that are most applicable for direct marketing purposes, although not limited to, are consent and legitimate interest. If you choose legitimate interest as your lawful basis, your institution should run several steps which include balancing your legitimate interests with rights and freedoms of current/former students before the marketing activities are conducted. Whereas, obtaining consent from students could prove to be a more concrete choice that offers further transparency.
However, it should be taken into account that for your institution to conduct direct marketing, recipients should be provided with a privacy notice that explains your processing, including how you use their data for marketing purposes and where you gathered that data from. Lastly, your communication methods should clearly offer recipients the choice to opt-out and stop receiving your marketing efforts.
Prepare for the case of a data breach
In the case of a data breach, your institution should have procedures ready to respond within the required 72 hour time-frame set out by the GDPR. The regulation states that all organisations are obligated to report certain types of data breaches to the relevant supervisory authority. If the breach is deemed to result in a high risk, data subjects affected must be informed without delay.
Ultimately, breach detection and internal reporting procedures must be in place. A solid procedure could potentially aid you in making decisions to notify relevant parties, and even mitigate future potential problems. Organisations that suffered a data breach are also required to keep a record of such incidents, regardless if it was notified to a supervisory authority or not. To get further in-depth insight into how to handle a data breach, check out our free whitepaper.
GDPR compliance: opportunity, not obstacle
The enforcement of the GDPR brings with it plenty of investment requirements by organisations, both in terms of time and resources. At the same time, it allows for transparency towards individuals such as students and staff, ensuring an increase in trust and brand image of universities. To be able to enjoy these benefits, many organisations resort to using compliance software to automate processes, lower costs, and make their compliance efforts more time-efficient. If you are interested in seeing how such a compliance solution looks like, wherever you may be in your compliance timeline, try out our 14-Day free trial without any commitment, and see for yourself. At the end of the day, GDPR compliant higher education institutions will be able to create a competitive advantage for themselves, for the long-run.