European Rules (and Big Fines) for American Colleges

A German student uses your website to apply for admission. An alumnus who lives in Italy makes an online donation. A faculty member spends a sabbatical in France and communicates with colleagues back home. These routine digital interactions -- common in most higher education institutions -- will subject colleges in the U.S. to the European Union's comprehensive privacy rules, which go into effect May 25. Many experts believe American colleges are not prepared -- and could face steep fines as a result.

The E.U.’s General Data Protection Regulation will impact any organization worldwide, including U.S. colleges and universities, that processes data relating to people in Europe.

Speaking at the Educause conference in Philadelphia late last year, Gian Franco Borio, a lawyer who gives legal counsel to the European Association of Study Abroad, said that the GDPR would almost certainly affect all U.S. higher education institutions.

“Every U.S. educational institution has here and there, somehow, a relationship with Europe,” said Borio. “Your institution will for sure have a relationship with Europe or people based in Europe, therefore you need to be concerned about the new regulation.”

Failure to comply with the new rules could cost U.S. institutions more than $23 million in fines. But despite these sharp teeth, few colleges appear to be prepared.

“I seriously doubt that any institution in the U.S. will be even remotely in compliance on May 25,” said Barmak Nassirian, director of federal relations and policy analysis at the American Association of State Colleges and Universities.

“Candidly, the conversations I’ve had have been shocking in that people didn’t even know that this existed, let alone taken steps to comply,” said Nassirian. He added that he believed many institutions were so early in their preparations, they are “reluctant to step up and speak candidly about the fact that they’re nowhere near ready.”

The new rules will require institutions to take extra steps to protect the personal information of people in the E.U., regardless of whether they are E.U. citizens or permanent residents. So the requirements would also apply to American students or faculty members who communicate with campuses while they are in Europe.

In addition to understanding what data they hold, where data is stored and how they are used, institutions will need to be able to accommodate requests to retrieve, correct or erase the data. They must also promptly report any data breaches.

Julia Funaki, associate director of international education services at the American Association of Collegiate Registrars and Admissions Officers, said that awareness of the GDPR at U.S. institutions is growing, but progress appears to be slow.

Funaki said AACRAO is still receiving lots of basic questions about the GDPR from its members, including, “Does this apply to us?”

AACRAO has held three webinars on the GDPR, each one receiving increasing interest. But many people “are really still trying to grasp what the GDPR is,” said Funaki.

A common misconception, said Funaki, is that institutions are already doing enough because they meet the requirements of the Family Educational Rights and Privacy Act. But the requirements of the GDPR and FERPA are “quite different.”

One differing feature of the GDPR is the “right to be forgotten,” said Funaki. She described this requirement as “something of an anathema” to registrars, whose job is “all about retaining records.” The rule could lead to demands to find and eliminate email records, addresses in alumni directories, admissions applications and more.

The GDPR also argues in favor of data minimization, which is “not a forte” of U.S. institutions, said Nassirian. “In many ways, the advent of technology and the fact that storage is now so highly affordable has created sloppy practices,” he said. He suggested that institutions should become much more intentional about the data they keep, in order to minimize the possibility of data breaches and bring down the cost of tracking this information.

Becoming GDPR compliant can seem “almost unmanageable” to institutions at first, said Funaki. A big part of the challenge is the institutional coordination required to comply. “It’s not just one person’s responsibility,” said Funaki. It will take “real effort” to bring together everyone involved -- whether they handle student records, offer legal counsel, buy services from third-party vendors or manage IT security. “An issue like this one really requires coordination from the top down.”

Nassirian said that he feels there is a tendency for universities to assume that GDPR compliance is something IT staff will take care of, when really a lot of the burden will fall on people working in data governance. “People don’t seem to understand the distinction between the data security mandate and the data privacy mandate,” said Nassirian. “There are data security components to the GDPR, but those are fairly straightforward,” he said.

Few institutions seem to have hired staff specifically to tackle GDPR compliance, and no single consulting firm or technology company seems to have emerged as the go-to expert on GDPR compliance for U.S. institutions. But Nassirian said that there is an emerging “cottage industry of unknown entities” offering GDPR services to institutions. “My advice to institutions would be to hang on to their cash and not rush to spend money at this late hour,” he said.

A good way for institutions to look at the GDPR is to think about it as an opportunity to start better data management practices, said Funaki. “When you step back, the GDPR is really about good governance and good data hygiene -- institutions can get their heads around that idea,” she said.

Mark McConahay, associate vice provost and registrar at Indiana University at Bloomington, said that his institution had already taken significant steps to comply with the GDPR -- gathering key stakeholders and identifying all the data that might fall under GDPR protection. The institution is also working through different scenarios for students, staff or faculty who might come from or be situated in the E.U. What happens when a student in Europe takes a class online or when an American student does a semester in Europe? Not all scenarios have been straightforward, however. The question of what an institution should do if a European student asks for a bad grade to be removed from their academic record, for example, is one that troubles McConahay. “There are aspects of the ‘'right to be forgotten’ rule that still need to be fleshed out,” he said and IU is still working through a procedure for this scenario.

“At first reading, the regulations look very onerous, but once you understand what is required and draw parallels to what you do already, they are not nearly as scary as they first appear,” said McConahay. There are, however, things that will need to be done differently. The institution will need to find a way to track people it interacts with in the E.U. It will also need to get them to give their consent before it can store their information. “This will involve describing in some detail the suite of services we’re going to provide them, and outlining their rights under the GDPR,” said McConahay. Whether people will respond positively to these requests for consent remains to be seen.

Another big task is identifying all of the third-party vendors that the institution works with and checking that they are in compliance, said McConahay. “For the most part, the vendors we work with have been pretty in tune with our security and privacy concerns,” he said.

Though he is hopeful that his institution will have finished preparations before May 25, McConahay says he isn’t yet sure what “finished” will look like. “We’re taking it seriously,” he said. “We care deeply about data security and privacy.”

As long as U.S. institutions make a concerted effort to be compliant with the GDPR, Funaki doesn’t believe that the E.U. will set out to make an example of them. “I think this is really more about the Amazons and Facebooks and Googles out there,” she said.

Nassirian agreed: “It would be very difficult to imagine that the E.U.’s first priority would be U.S. institutions. I’m assuming there will be plenty of bigger fish to fry within the E.U. itself.”

While it may be tempting to take a wait-and-see approach to the GDPR, Funaki advises institutions to pay close attention, because these regulations are “the way of the future.” Trust and reputation with regard to data protection are going to become increasingly important, she said. If a college can’t demonstrate that it is taking data protection as seriously as its competitors, it may start to lose out on prospective students.

Asked whether down the line she could see the U.S. adopting data protection rules similar to the GDPR, Funaki said it was “quite possible” but would require a significant cultural shift.

“In Europe, privacy is considered a fundamental human right, but in the U.S. we tend to think of it as a consumer right,” said Funaki. She added, “I think this is just the beginning of a long conversation about data protection around the world.”