Each year, the United States hosts over a million foreign students. And for the schools they attend, this often means complying with rules and regulations that these students bring with them from their home countries.
For US colleges and universities with students from the European Union (EU), this means adhering to the comprehensive and mandatory privacy rules put forth in the General Data Protection Regulation (GDPR).
GDPR went into effect on May 25, 2018, and has gathered a considerable amount of attention for its widespread coverage and stiff penalties. Designed to protect the privacy rights and personal data of every EU citizen, regardless of where they live in the world, GDPR encompasses more than just organizations located within the EU.
Organizations across the globe, including colleges and universities, are now required to comply or else face serious repercussions. Let’s take a closer look at what that means for U.S. colleges and universities.
The Fundamentals of GDPR: Core Principles and Requirements
Directly or indirectly, the vast majority of US-based higher education institutions have some relationship with countries in the EU. Whether it is a French student applying online for admission, an alumnus living in Germany who makes an online donation to the school, or a faculty member collaborating on a research project with colleagues in Italy, every routine digital interaction must adhere to the tenets put forth in the GDPR.
If you’re feeling unsure about your college or university’s GDPR compliance status, you’re not alone. According to a 2018 Campus Computing Survey, only 48.6% of all higher education institutions reported they were currently compliant with GDPR.
The first step is understanding exactly what GDPR covers. At its essence, the GDPR dictates that university officials tasked with security and compliance, typically the chief security officer (CSO) or chief information officer (CIO), must have systems in place that thoroughly manage and track how and where the data they have on EU citizens is stored, shared, and used.
The controller or handler of the data must be responsible for, and be able to demonstrate, their compliance with the following principles:
- Ensuring lawful, fair, and transparent processing of individuals’ data
- Limiting data usage solely to the purpose for which it was obtained
- Ensuring that data is adequate, relevant, and contains only the information necessary to accomplish its goal
- Maintaining data accuracy and keeping it up-to-date, while also properly removing or destroying data, without delay, when user has requested its removal
- Keeping data for a period of time specific to its intended use
- Processing data in a secure manner to protect the rights and privacy of individuals while preventing accidental loss or destruction of the same
- Strictly regulating the export of personal data outside of the GDPR
- Reporting any data loss or breach in a timely fashion
As many Information Security professionals have noted, the current context of the GDPR is somewhat left to interpretation, frequently using terms such as “reasonable” or “timely,” while never fully clarifying what they mean. As more cases are reviewed, the GDPR will likely be amended to become less ambiguous and complicated.
But for now, the lack of clear interpretation means that universities, and the vendors that provide them with software-as-a-service (SaaS) products, must take extra precautions when preparing themselves for compliance with this legislation.
The Stakes Are Real —And Higher Than You Might Think
Failure to comply with GDPR can mean much more than a slap on the wrist. Regulators can impose fines of 4 percent of revenue from the previous year or up to 20 million euros ($23 million), whichever is greater, for violations. And the GDPR is already making its presence felt.
Rule enforcers in many EU countries have seen a spike in the number of complaints about violations, with France and Italy reporting a 53 percent jump in complaints from the previous year. Recently, EU governments have started adding staff to review GDPR complaints, and DPAs are now offering recommendations on how systems can be fixed to become GDPR compliant. The first set of major penalties starts early 2019, and includes: admonishing the offenders, imposing temporary bans, issuing ultimatums, and finally, imposing punitive fines.
The lack of early enforcement, however, has complicated the compliance picture. Many universities who felt an early sense of urgency around becoming GDPR compliant are now taking a “wait-and-see” approach—slowing their compliance efforts until they see fines levied against larger educational systems.
Unfortunately, many U.S. schools still do not understand the impact that the GDPR will have on their enrollment, research, and business dealings with students, faculty, and staff who are either from the EU or doing work there. While many may feel they have come a long way towards GDPR compliance, the reality is they have just put a privacy statement on their website or perhaps enacted one or two of the simpler policies around GDPR.
The more substantial work around data mapping—the mandatory documentation and the systems-in-place to ensure that EU data is handled, protected, and kept anonymous—has largely been left undone. Even some institutions that have taken great pains and spent many months to comply with the GDPR—including identifying all data that might fall under GDPR protection and running various what-if scenarios for handling and removing European data—still have a long way to go to achieve full compliance.
And while university IT leaders have been told not to panic about GDPR enforcement at recent national education conferences and seminars, they have also been advised not to get complacent. The smart move is to start taking steps now, at a reasonable and measured pace.
Assure GDPR Compliance with a Complete IAM Solution
Achieving and maintaining GDPR compliance starts with identity and access management (IAM). Today’s IAM systems give universities a highly-available, centralized, and flexible identity management infrastructure that incorporates the principles of GDPR and other data security legislation into their day-to-day business processes, in an automated fashion. This ensures consistent, reportable, and auditable controls that can be utilized to demonstrate organizational compliance, while freeing up IT staff to focus on other business objectives.
GDPR is here, your college or university is likely affected in some way, and organizations in the US and abroad are already facing the possibility of hefty fines for violations. Adopting a “wait-and-see” policy is a risky option. Should a breach occur, the penalties your higher education institution will face are substantial.
For more information on GDPR, steps to make the process as manageable as possible, and the ways in which IAM can clear the way for GDPR compliance, download our complete guide, GDPR Compliance for Higher Education.
Plus, stay tuned for the second part of this blog series, where we will provide six essential and actionable steps your organization can take to help achieve GDPR compliance.