The amount of coverage and attention the General Data Protection Regulation (GDPR) received leading up to May 2018 was intense to say the least. But even now, more than a year since that date has come and gone, organizations across the world are still either unsure or mistaken about whether they are compliant—and how to become so.
When examining your own institution’s status, it’s important to first understand the motivation behind the GDPR, which is to increase the rights and control EU citizens have over their own data. Any EU citizen is covered by these regulations, regardless of where in the world they, or the company they are doing business with, are located, and the EU plans to impose stiff penalties for organizations that are non-compliant.
This means that being in compliance with GDPR is essential for American colleges and universities who interact with foreign students, exchange programs, and international partnerships.
With GDPR, the EU is essentially treating data and data privacy as a fundamental human right, which is vastly different than how it is viewed in the US. As such, many US institutions, including colleges and universities, don’t have the controls or systems in place to comply with these strict requirements or even the expertise to implement them.
We recently discussed the fundamentals of GDPR, including the core principles and requirements. But if your institution isn’t prepared to meet these requirements, you may be wondering where to even begin.
Getting Compliant: Six Essential Steps
Regardless of how far along your school is on the GDPR compliance path, here are six steps that can make the process more manageable and straightforward:
Establish Accountability and a Governance Framework
This vital first step requires your school’s Chief Information Officer (CIO) or other manager leading the GDPR compliance effort to get administrative support for starting the project and seeing it through to completion. This requires a careful and candid discussion about the benefits and risks of GDPR compliance (or non-compliance). At this point, your institution should appoint a GDPR project manager who reports to the CIO and is responsible for keeping the different groups on track with their specific contribution to the compliance effort.
Scope The Project List
Working with your school’s IT department, the project manager should identify the college departments, administrative offices, and other departments that are within scope—anyone who will be impacted by (or who will impact) the data management and security process and whose day-to-day activities directly or indirectly influence GDPR compliance. This step also identifies all standards and/or management systems that might provide a framework to ensure GDPR compliance. There may be some overlap with other best practices and procedures, such as ISO 27001 (the information technologies security best practice).
Conduct A Data Inventory and Data Flow
This process maps out how European data moves through the university—where and how it is stored and processed, who sees it, how much is shared, how it is transmitted, and so on.
Assess the Risk Impacts on the Data
This step calls for determining how easily data can be breached, siphoned, lost, deleted, or stolen as it moves through the university system. This is commonly done through penetration testing, which uses ethical or “white hat” hacking to test your system for security vulnerabilities that an attacker could exploit. With this assessment, you can better understand your current compliance position.
Conduct A Gap Analysis
A gap analysis compares what is in place today with what should be in place for GDPR compliance. It identifies areas for improvement—where security and processes need to be tightened up to achieve compliance.
Common questions to ask during this gap analysis include:
- Is the data encrypted when it comes into the university system?
- Is it stored in clear text?
- Is it shared with all the right departments?
Asking these questions will help you understand what kind of protection and tech controls are required and then guide how you can tighten up the security to get compliant.
Develop Operational Procedures
With the previous steps as your guide, put the processes, policies, and systems in place to close the gaps and get compliant.
Still Not Sure How to Start? How a Health Check and IAM Can Help
Even using the general roadmap from the previous section as a guide, understanding the complexities of GDPR requirements and the potential risks facing your institution is difficult. Getting a GDPR Health Check can quickly identify how GDPR applies to your institution and what efforts might be required to mitigate those risks.
For example, Identity Automation partner and management consultancy for higher education, Moran Technology Consulting, offers a GDPR Health Check that assesses an organization’s starting point and then walks them through the steps to get compliant.
Part of this process includes a review of your current Identity and Access Management (IAM) solution. Depending on the IAM system that you currently have in place, the assessment might find that its features and functionality are not robust or flexible enough to facilitate your journey to GDPR compliance.
You may find that your school falls short of compliance in some way. Maybe you found vulnerabilities in the management of your data, that you don’t have strict enough governance controls, or that you lack the ability to audit access to your systems.
When developing operational procedures to address these gaps, consider identity and access management (IAM) as a viable solution. Switching to a modern IAM solution, like RapidIdentity, gives you a cradle-to-grave identity management solution that addresses governance, risk, and compliance needs, while aligning your data management protocols with GDPR’s requirements.
You can properly secure and manage access to all data avoiding breaches, specifically store data related to Europeans separately, properly deprovision and delete data, and ensure you have consistent, reportable, and auditable controls.
GDPR Compliance for Higher Ed
Though GDPR is in effect, we don’t have a vast amount of information on how the EU will enforce them. Our advice, however, is not to wait for other organizations to be penalized to see what you’re facing. By taking that approach, you are ultimately risking your own organization being the one to set the example for others.
Should you need more guidance on GDPR, a full breakdown of the requirements, penalties, and how IAM can play a role in your journey to compliance is provided in our ebook, GDPR Compliance for Higher Ed.