|What To Do in a GDPR World?

What To Do in a GDPR World?

If you’re like me, you’ve received hundreds of emails in the last month explaining newly-updated privacy polices from any and all companies with whom you’ve ever interacted. As you may know, this sudden onslaught of emails was prompted by the European Union’s new General Data Protection Regulation (GDPR), implemented on May 25 of this year.

Given the sheer volume of privacy policy update emails you’re receiving, you may be wondering whether the new law applies to your institution and if so, what your university should be doing. You may also wonder if you should be concerned at all. Today, I’ll discuss these topics along with some ideas for things you can do to move toward compliance.

First, a quick introduction to GDPR. The new law updates an older law on the books and is intended to protect the data and privacy of residents of the EU. It applies to all businesses who process personal data of individuals in the EU. And, here is the kicker: regardless of where that business is located.

It also comes with some hefty fines for infractions – up to 20 million euros! Though, it’s unclear how they would enforce these fines.

To learn more about the law itself, you can visit the official GDPR website.

Now, for the topics you care about.

Does this apply to my university?

Yes, according to Gian Franco Borio, a lawyer who spoke at an Educause session on the GDPR, “Every U.S. educational institution, has here and there, somehow, a relationship with Europe.” Borio continued, “your institution will for sure have a relationship with Europe or people based in Europe, therefore you need to be concerned about the new regulation.” (E.U. Data-Protection Law Looms, Inside Higher Ed).

Are we covered by FERPA?

No, FERPA only covers your student data. GDPR applies to all data defined as “personal data” for any persons who are located in any of the 28 EU nations, regardless of enrollment status with your college or university.

Should we be concerned about our use of Google Analytics or cookies for remarketing?

In short, most likely not. According to a blog by Peak Demand in the UK, “A visitor’s IP address (which is now recognised as personal data by GDPR) is used to determine their physical location but the IP address itself is not data that can be accessed through Google Analytics. All data in Google Analytics is aggregated and anonymised” (Peak Demand). It goes on to note that some more advanced implementations of Google Analytics may be problematic. Given that, it’s worth asking your account administrator if you have an advanced implementation. However, it’s unlikely your account falls into this category.

The use of cookies for remarketing also shouldn’t leave you at risk, as long as your privacy policy is updated to account for their use.

What Should My Unit Do To Comply?

First, find out what steps your university has taken to become compliant. Hogan Marren Babbo & Rose, Ltd recommends focusing first on the elements that are most visible and, therefore, more likely to lead to a fine. In many cases, this would include:

Lack of a compliant Privacy Policy

Start by investigating updates your university’s legal or compliance team have made, if anything. If you aren’t sure what a GDPR-compliant privacy policy looks like, take a look at IT Governance’s article, How to Write a GDPR Privacy Notice, complete with a customizable template.

Failure to obtain proper consent for collecting data

Most of your marketing communications will be covered by the Legitimate Interest Legal Basis, meaning that if you handle your prospects’ information in a reasonable manner based on their request for additional information, you shouldn’t need to obtain express consent for processing their data. However, it’s important for you to know when you need to obtain consent and create a plan for doing so.

Failure to notify the proper authority when a data breach is discovered
Hopefully, this is not something you have to worry about, but if you become aware of a data breach, it is important to report it to the proper entities within 72 hours after becoming aware of the breach. We recommend you make sure your university has a process in place to ensure prompt notification if it becomes necessary.


If you’re looking for a high-level roadmap to compliance, in addition to the priority areas above, take a look at this handy pdf developed by the UK’s Information Commissioner’s Office – Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now

In a nutshell, if you’ve been generally concerned about the impact GDPR may have on your institution, you’re right to be thinking about it. The law, as its written, almost certainly applies to your university, if not your unit. However, there are some simple ways you can make progress toward compliance. And, given the current lack of channels for enforcing fines, it’s unlikely that you will be paying a €20 million fine anytime soon.

By | 2018-06-19T12:16:18+00:00 June 18th, 2018|Articles, Marketing, Uncategorized, What’s new?|