Impact of GDPR in U.S. Higher Education
With the EU GDPR compliance in effect (since May 25th, 2018), U.S higher-educational institutions are pushing hard to get GDPR compliant to avoid any legal issues.
The GDPR (General Data Protection Regulation) came into effect on May 25th, 2018. U.S higher educational institutions are struggling to figure out how these rules apply to the overseas programs as well as the analytics on the users (students and employees) who are EU citizens.
Basically, the GDPR defines 3 roles in data transactions:
- The Subject (Person the data is related to)
- The Controller (How is data processed?)
- The Data Processor (How is data processed?
An institution can be a controller as it relates to the student data (human resources). It could also act as data processor – for instance, partnership with another school in study abroad program. GDPR also emphasizes on documentation and understanding what the third-party vendors have access to and how are they using the data.
GDPR talks about the rights of data subjects, including the access to data, the right to deletion (right to be forgotten), and rights to the restriction on data processing. For instance, data subjects have a right not to be subject to a decision based solely on automated processing.
Institutions have three different categories of data which are most likely to be impacted by GDPR:
- The first category involves students who are foreign nationals joining the university in the U.S. or attending the programs on locations abroad. Any data which is collected for these students – from names to grades to status – will be considered as personal data.
- Another set is the HR data. People who work at the U.S. higher-educational institutions may be EU citizens, or if a campus has operations abroad, it is likely to have several EU employees.
- The third category involves marketing. Normally, the marketing data is collected without the real eye towards privacy. With GDPR in place, when a student interacts with the website, that data will also be impacted. The GDPR is about making sure that the rules are properly followed while storing and using that information via documentation and governance.
Many campuses have set up internal working groups to boost their efforts on GDPR, but most of them are not sure about how to proceed and face challenges in identifying impacted systems and processes, and that fact seems to make them reluctant to speak about it.
OculusIT has already helped multiple campuses in the U.S. to overcome these challenges and drive them to success. With a team of security consultants, campuses can quickly identify the impacted systems and processes to avoid any lawsuits from GDPR non-compliance.