If you’re like me, you’ve received hundreds of emails in the last month explaining newly-updated privacy polices from any and all companies with whom you’ve ever interacted. As you may know, this sudden onslaught of emails was prompted by the European Union’s new General Data Protection Regulation (GDPR), implemented on May 25 of this year.
First, a quick introduction to GDPR. The new law updates an older law on the books and is intended to protect the data and privacy of residents of the EU. It applies to all businesses who process personal data of individuals in the EU. And, here is the kicker: regardless of where that business is located.
It also comes with some hefty fines for infractions – up to 20 million euros! Though, it’s unclear how they would enforce these fines.
To learn more about the law itself, you can visit the official GDPR website.
Now, for the topics you care about.
Does this apply to my university?
Yes, according to Gian Franco Borio, a lawyer who spoke at an Educause session on the GDPR, “Every U.S. educational institution, has here and there, somehow, a relationship with Europe.” Borio continued, “your institution will for sure have a relationship with Europe or people based in Europe, therefore you need to be concerned about the new regulation.” (E.U. Data-Protection Law Looms, Inside Higher Ed).
Are we covered by FERPA?
No, FERPA only covers your student data. GDPR applies to all data defined as “personal data” for any persons who are located in any of the 28 EU nations, regardless of enrollment status with your college or university.
Should we be concerned about our use of Google Analytics or cookies for remarketing?
In short, most likely not. According to a blog by Peak Demand in the UK, “A visitor’s IP address (which is now recognised as personal data by GDPR) is used to determine their physical location but the IP address itself is not data that can be accessed through Google Analytics. All data in Google Analytics is aggregated and anonymised” (Peak Demand). It goes on to note that some more advanced implementations of Google Analytics may be problematic. Given that, it’s worth asking your account administrator if you have an advanced implementation. However, it’s unlikely your account falls into this category.
What Should My Unit Do To Comply?
First, find out what steps your university has taken to become compliant. Hogan Marren Babbo & Rose, Ltd recommends focusing first on the elements that are most visible and, therefore, more likely to lead to a fine. In many cases, this would include:
Most of your marketing communications will be covered by the Legitimate Interest Legal Basis, meaning that if you handle your prospects’ information in a reasonable manner based on their request for additional information, you shouldn’t need to obtain express consent for processing their data. However, it’s important for you to know when you need to obtain consent and create a plan for doing so.
If you’re looking for a high-level roadmap to compliance, in addition to the priority areas above, take a look at this handy pdf developed by the UK’s Information Commissioner’s Office – Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now
In a nutshell, if you’ve been generally concerned about the impact GDPR may have on your institution, you’re right to be thinking about it. The law, as its written, almost certainly applies to your university, if not your unit. However, there are some simple ways you can make progress toward compliance. And, given the current lack of channels for enforcing fines, it’s unlikely that you will be paying a €20 million fine anytime soon.