For those of you who are still uncertain of what it is, GDPR stands for General Data Protection Regulation – legislation giving individuals in the European Union more control over their personal data. Because so many US organizations operate in one way or another in the EU, it's prudent for all to ensure they are compliant with the GDPR.
Before going on, please understand that this post is intended to be helpful but should not be considered legal advice. You should consult a lawyer to verify your practices are GDPR compliant.
The General Data Protection Regulation (GDPR) is a European Union law that came into effect on May 25, 2018 and governs how companies and organizations use personal data of all people (but not legal entities like corporations or nonprofits) physically within the EU. The regulation makes no distinctions based on an individual's permanent places of residence or nationality.
The GDPR applies to all commercial and professional transactions of "controllers" and "processors" of data:
- Controllers are the principal entities, such as educational institutions, to transactions with individuals. They are the entities that govern the purposes, uses, and methods related to the "processing" of personally identifiable information.
- Processors are organizations, such as SaaS businesses, that actually carry out the processing activities.
Processing under the GDPR means obtaining, recording, or holding the information, or carrying out any operation or set of operations on the information. For example, a university's database of prospective students, and any emails or text messages sent to individuals with that database, would be considered processing.
The GDPR applies to all individuals' personal data or any information that can be used to, directly or indirectly, identify a person. Personal data means almost anything that could identify a person. This includes not only obvious information such as names, email addresses, physical addresses, health data, financial and employment-related records, phone numbers, but also device IDs, photographs, IP addresses, and even some cookie data.
Thanks to the new laws, EU citizens will now be able to understand what personal data is being collected by businesses, meaning prospects will have greater control over their data. If a company or organization fails to comply, it may result in significant fines.
Does America have to comply?
Since most US businesses operate solely within the US and don't necessarily target EU-based customers, they are unaffected by the implementation of the GDPR. There are two situations which US companies and organizations should closely monitor:
- The organization offers goods or services to EU-based individuals (whether for payment or not)
- The organization monitors the behavior of EU-based individuals (including via cookies). This, importantly, may also capture companies providing B2B services to businesses based in the EU, such as hosted data services, data analytics platforms, and outsourced business functions.
In a nutshell, Europe wants to ensure that companies marketing to or interacting with EU consumers are more responsible in doing so. It is important to remember that most companies with an online presence and any companies that process EU personal data are impacted, regardless of sector. This includes educational institutions, since many either have prospective students from the EU or provide distance learning to students in the EU.
For educational institutions, it's important to understand that the GDPR is different from common US privacy laws such as FERPA (Family Educational Rights and Privacy Act), the primary privacy mandate for more than 40 years. They differ in two distinct ways:
- While "personally identifiable information" as defined in FERPA is similar to that in the GDPR, the latter subjects all personally identifiable data to its core requirements and provides additional protections for "sensitive personal data" including racial and ethnic origin, religion, sexual orientation, political views, etc.
- FERPA addresses post-collection disclosure practices. FERPA focuses on who within the institution and which third parties outside it may gain nonconsensual access to the information in question. GDPR, however, subjects the entire lifecycle of all personal information to its strictures and generally requires the individual's consent as a precondition for processing activities.
Ultimately, the GDPR is intended to inspire more helpful marketing, transparent consent and responsible data management. The GDPR may seem like a headache, but it’s designed to encourage advertising with integrity. It also benefits recruiting as it helps you focus on engaged prospective students as opposed to wasting time and effort on those who may be uninterested in your institution.
How to Comply
A unique feature of the GDPR is that it covers all facets of information management including the collection, retention, deletion, breaches, and disclosures of personal data. No single US privacy or data security law currently governs all of these related issues.
There are five key points of the GDPR that institutions should consider for compliance. Individuals should:
- Agree to the collection of their personal data
- Be made aware of how and when their data is collected
- Be able to request copies of their data
- Be able to request their data be edited or deleted
- Agree to be contacted by sales reps (or the like)
The primary areas that educational institutions collecting data for prospective students should focus on are obtaining consent, data requests, and deletion.
Consent should be freely given, specific, informed, and unambiguous. Consent comes through an affirmative action (pre-ticked boxes aren’t allowed). This means that gathering the proof points you need for consent can be more complicated than it sounds.
One potential solution is to develop a process designed to generate as little data as possible. If you need the data for your legitimate interests, you should have no problems as long as you define and explain your need to the individual. According to GDPR Recital 47, direct marketing passes this test! You’ll simply need to record the consent and you need to be prepared and able to remove the relevant data if the person changes their mind.
If you utilize web forms to request personal data, consent is needed if the data you’re asking for is beyond the scope of the service provided.
For example, they’re requesting you get in touch with them about your institution, and you collect their email and telephone number. This is a clear information exchange in seeking contact. However, if you also ask for their income or their school name, you would need to seek consent for that part of the form.
If you host an event and receive emails from attendees, as long as you clearly explain and record what the emails will be used for, you may add these to email communications afterward. For example, if the page reads, "Enter your email if you’d like more insights and information about our school," and attendees enter their email address – this counts as consent.
Data Requests and Deletion
You can’t have privacy without security. The GDPR requires you to have appropriate security for any personal data you process. This may mean things like strong passwords, access controls, and industry standard technical security measures.
Institutions should be prepared and able to remove the relevant data if a prospect changes their mind. Your prospects may also exercise their right to have access to their data. You should consider how to make this process possible, and potentially delete this data on request of the prospect.
You may also explore establishing a system to make it clear when data needs to be deleted. This may include specific triggers when certain conditions are met to live up to that commitment and automate the deletion process – you’ll save time and prevent any future headaches.
Is text message marketing affected?
Just as GDPR replaced previous privacy law, the EU intends to replace the current Privacy and Electronic Communications Regulations (PECR) with a new ePrivacy Regulation (ePR) at the same time. Both the PECR and ePrivacy Regulation focus on rules regarding electronic communications – email, SMS, automated voice, etc.
The implementation of the ePrivacy Regulation will not take place until 2019, so for now, organizations are fine following the requirements of PECR. This means organizations can continue to use a "soft opt-in" to send email and texts.
A soft opt-in is to when an institution has obtained an individual’s details as part of the recruiting process, where you’re only marketing your own institution, and you provide an opt-out in every marketing communication.
You may, however, need to consider a different approach to any bulk prospect lists or lapsed prospective students – in these circumstances, we would suggest that consent is the most appropriate basis.
The GDPR is a step forward in protecting individual's personal information, so it's helpful to view its regulations as positive. It ensures that institutions better inform prospective students about what they do with personal data, account for the data they process (e.g., by keeping clear records on what they do with data), and emphasize privacy, both at the inception of the relationship and throughout the student lifecycle.
If you want to learn more about how AdmitHub can help you stay compliant as you communicate with prospective students, contact us!
co-authored by Adrian Serna