Knowledge Is Power: What Higher Education Institutions Must Know About GDPR Compliance Risk

Jeff Sanchez, Managing Director Security and Privacy
Eric Groen, Managing Director Internal Audit and Financial Advisory

In the coming months, as U.S. colleges and universities prepare to welcome students to a new academic year, a priority topping their to-do lists should be identifying and understanding their risk exposure to the European Union’s (EU) General Data Protection Regulation (GDPR). They also should be making appropriate changes to meet the technological, administrative and legal requirements of this complex and confusing mandate, which went into effect on May 25, 2018.

Institutions of higher learning manage and generate a wealth of data — from personally identifiable information (PII) about students and faculty to intellectual property used in courses and research and development (R&D). The leadership at most colleges and universities today fully understand that their data is a target for malicious hackers: Data breaches in the education sector have been skyrocketing. And they are making investments to improve security technology and processes.

However, many U.S. colleges and universities are only just beginning to understand the extent of the risks they may face due to GDPR — a separate issue from their cybersecurity challenges. They have spent the past several months trying to determine exactly how the regulation’s new rules might apply to their data. One reason for the scramble: Many institutions simply realized too late that the GDPR does, in fact, apply to their operations — in several ways, and even for the most routine transactions.

If they’re not already, U.S. colleges and universities should be motivated to get their arms around GDPR compliance as quickly as possible given the potential for hefty penalties. The most serious violations can carry fines of up to €20 million, or 4 percent of worldwide annual revenue of the prior financial year, whichever is higher. The potential for lawsuits and reputation damage is also significant.

For more details about the GDPR and compliance, download the Protiviti point-of-view paper, Preparing for the General Data Protection Regulation— The Clock Starts Clicking Now. A quick overview of the mandate can be found here.

Examples of GDPR Danger Zones for U.S. Institutions of Higher Learning

Given the nature of their operations, colleges and universities can be both data controllers and data processors under GDPR. For instance, a university is a data controller because it manages data about its students. But that university also might partner with other institutions for a study abroad program and exchange data with those schools about students in that program — making it a data processor.

Here are three ways that U.S. colleges and universities may be exposed to GDPR compliance risk:

Through their online presence — Many leading institutions have created large and sophisticated online education programs, and people taking classes through those programs may be located anywhere in the world. If the students are in the EU, then their data is subject to GDPR.

Also, students who earn a degree through an online program become alumni of the institution that provided the program. That college or university is likely to continue marketing to those former students. And many people will continue to interact with their university long after graduation — for example, by making online donations. All data related to these transactions is subject to GDPR if the alumni student is in an EU country.

The GDPR may also cover data that is related to other routine digital transactions for an institution of higher learning. An example: personal data provided by a student in Germany who applies for admission to a U.S. university through the school’s website.

Through visiting students and faculty — Study abroad programs are potential GDPR danger zones for U.S. colleges and universities as well. U.S. students attending programs in EU countries are subject to GDPR while in those countries. And students from EU countries attending school in the United States present GDPR risk before and long after their actual period of study — while the university is corresponding with them regarding admission and after they become alumni.

Human resources data is also subject to GDPR compliance if an institution’s employees are EU citizens, or if the college or university has EU employees working for their operations abroad.

For some institutions, the number of students and faculty whose data is subject to GDPR is small. But for many colleges and universities, it’s a sizeable population to manage.

Through R&D activities — Large research universities run R&D programs and projects all over the world. They also may have faculty and students physically in EU countries participating in these activities. In addition, they may be gathering information and insight for their research from people in many countries.

Study participants are another risk area: While there is often some level of anonymization of data in research studies, it may not be sufficient from a GDPR perspective. The expectation under GDPR is that the combination of data processed (even if not published) doesn’t allow for the identification of the data subject, or that the protections provided under GDPR all apply.

Getting Compliant and Future-Proofing for Similar Mandates

Any U.S. college or university that is struggling to understand the GDPR and how it may impact their operations should act now to engage outside expertise who can:

  • Interpret the regulation, and provide analysis and advice
  • Conduct gap remediation using leading practices, including examining potential third-party risks
  • Offer appropriate compliance solutions for data privacy and security
  • Assist with monitoring and maintaining controls once implemented

Even U.S. institutions that don’t currently face significant GDPR compliance risks should take steps to protect themselves. They should consider “future-proofing” to the extent possible because the United States could adopt similar regulations in the future. California has already enacted a strong consumer privacy law in the spirit of the GDPR, The California Consumer Privacy Act of 2018 (CCPA), although, unlike the GDPR, it does not extend to extra-territorial coverage. Other states are following suit as well.

In addition, if an institution aims to expand its international operations and student body in EU countries in the future, it should be proactive about preparing now to meet GDPR requirements.

Colleges and universities are just one group of organizations that needs to be keenly aware of their risk exposure to GDPR and other mandates related to data privacy and security. Building in security processes and adopting best practices to meet the challenges of emerging trends and regulations are foundational steps to supporting their digital future, which we will discuss in more detail in an upcoming post.

Subscribe to this blog to stay on top of these and other topics. For details on how Protiviti can help organizations with GDPR risk and compliance, visit the GDPR Is Here — Now What? page on our website.

Add comment