You have /5 articles left.
Sign up for a free account or log in.

College admissions offices routinely seek applications from all over the world, and in doing so they communicate with applicants and potential applicants. As of May 25, however, American colleges will be covered by the European Union's General Data Protection Regulation. Violate that law -- and the routine gathering and storage of information could result in violations -- and a college could face fines of $23 million.

Not surprisingly, the size of potential fines has captured the attention of some academic leaders in the U.S. But many are still figuring out which of their practices could be subject to GDPR, as the regulation is known.

The American Association of Collegiate Registrars and Admissions Officers last week released a draft document -- prepared with several other higher education associations -- on scenarios for colleges to consider to determine whether they will need to change practices. The document provides an overview of the regulation, noting, for example, that it gives people in E.U. countries the right to explicit information about the gathering of identifiable information about them, the right to access their data and the right to remove information that they don't want maintained by an entity that collected it.

It is unclear whether the standard privacy protections used by American colleges will meet those standards. While American colleges rely on various third parties for names of potential applicants, and, in theory, students have the option to opt out of providing their information when they take standardized tests, many students don't realize that some of their information is then shared with colleges for recruitment purposes.

The draft released last week doesn't give American colleges a list of things to do or not do -- given that the applicability of GDPR will depend on all kinds of factors that may differ from college to college. But it offers a series of scenarios to consider to help colleges consider where they could be vulnerable. Some of the scenarios:

  • If email communication to potential students includes an "opt out," and there is no response, should the potential student be considered to have opted out?
  • If a potential student is considered to have been properly added to a database based on one purchase of her information, and then her name comes in from another list, does the college need to again verify her willingness to be part of the college's database?
  • How should colleges consider test score information as it relates to GDPR? If a student has applied and, in doing so, indicated acceptance of the college having their information, what about those who send test information before they have submitted an application?
  • If a college uses third parties for applications, does that third party need to identify applicants from E.U. countries?

Next Story

Written By

More from Traditional-Age