The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. This regulation provides greater protection to an individual’s personal information and how this information is collected. Higher education institutions throughout the world are affected by GDPR and must make changes to be in compliance.
The information for this post came from an IData Webinar, titled “How GDPR Affects Higher Ed Institutions and What You Can Do About It“, that was done on June 12, 2018. Feel free to check out the recording for the webinar here. Just a note that we are not lawyers and your legal council should be contacted regarding GDPR when necessary.
Here are 9 areas where you can take pragmatic action right now to assist with GDPR at your higher education institution:
- Understanding the definitions involved in privacy – Research GDPR by visiting community.datacookbook.com and get educated. Brainstorm with a group to determine the GDPR specifics for your institutions. And finally, create a GDPR document that is specific for your institution so that everyone is on the same page. Achieve increased awareness of data protection and privacy at your institution.
- Identifying and defining the GDPR applicable individuals – Determine what current students and staff, what alumni and previous staff, applicants for admission, marketing target individuals, etc. that are applicable to GDPR. Or make the decision that everyone fits under GDPR. If so, provide everyone with the same protection and processes.
- Inventory of your data systems – Find out the answers to the following questions: Where is your data?, Who owns and manages the data?, Do external systems you source data from have consent?, Do external systems you share data with have privacy controls and a lawful basis to process the data?. Then create an inventory of data models in all systems. Finally, identify GDPR applicable data (personal data). Doing a data systems inventory is probably the most important first step that you can do in data governance. Take control of the information you hold.
- Track data movements and data lineage – First, document the system-to-system data flow at a high-level such as CRM to SIS. Then start documenting the specific data moving in each transaction. While doing this documentation, determine if a data sharing agreement is necessary.
- Review process for data requests that includes private data – If you have a data request process in place see if it handles GDPR data requests properly. If no data request system in place, then get one implemented. This goes along with the inventory of data systems but make sure that your data request system factors in GDPR during requests. Review requests to see if a data sharing agreement is necessary.
- Data sharing agreements and review of external vendors – Manage the internal data sharing and make sure you know who at your institution has access to the data. Manage the data sharing with those outside your institution (state government, federal government, compliance agencies, rating groups, billing processors, etc.). Make sure you review the policies of external vendors that have your data especially those that might profit from the data. Create a policy when you need a data sharing agreement that your organization understands.
- Make sure all your sourcing systems have a process for consent – Determine if you need to retroactively ask for consent, such as in a marketing list that you purchased. Make sure that folks can opt out of your marketing emails easily.
- Process for data subject requests – Make sure that you have processes that can handle opt-outs and consent changes. Put into place a process for subject right of data access. This is probably the toughest of the actions to take regarding GDPR. Data subjects must be able to make requests electronically as well as physically. And the data subject has the right to lodge a complaint with a supervisory authority. Then put into place a process for subject right of data erasure requests. GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing.
(image credit StockSnap_L8TKYPYZ2G_AgreementGDPR #1063)