GDPR – How it Applies to Higher Education Institutions

As the deadline for the European Union (EU) General Data Protection Regulation (GDPR) approaches in 2018, U.S. colleges and universities are questioning how it applies to them and working to make sure they are in compliance. We at CampusGuard are ready to assist our customers understand, evaluate, and meet these new requirements.

The GDPR officially becomes a regulation on May 25, 2018. It applies to any organization outside of the EU that processes personally identifiable information (called “personal data”) of EU residents (“data subjects”). If your organization is either offering goods or services to data subjects or monitoring the behavior of data subjects while they are located within the EU, you do qualify as a data controller under the rule. The GDPR applies in a variety of scenarios that are common in higher education, including institution- controlled public-facing websites that offer goods or services, student study abroad programs, and any research about residents of the EU that could, in some way, identify them. Enrollment activities may be covered under the GDPR if an institution is targeting or enrolling people located in the EU and the institution collects personal data about those individuals during the enrollment or recruitment process.

Below are just a few other ways the GDPR might apply to your institution:

• Applications from EU residents
• Admissions from EU residents
• Online learners living in EU countries
• Alumni or donors based in the EU
• Marketing communications recipients

The GDPR addresses what types of data may be collected, under what specific circumstances, how that data may be used, how the data must be secured, how the data must be disposed, and what rights the data subject has during the life cycle of their personal data. The GDPR imposes a variety of data privacy and data security requirements that organizations must follow, including:

• Data security practices
• Personal data usage and privacy restrictions
• Data breach reporting requirements
• Personal data consent collection requirements

Covered Data can include:

• First and Last Name
• Bank Account information
• Address
• Medical Records
• Passport information
• Personal e-mail addresses
• Credit Card information
• Photos/videos posted on social media
• Usernames/passwords
• IP Addresses

At a high level, these are the key requirements from the GDPR that organizations should be aware of:

Breach notification: The GDPR requires data breaches to be reported to the European national state authorities within 72 hours after you become aware of the breach. Documentation must be provided comprised of the facts relating to the breach, its effects, and any actions taken to remediate. Organizations will want to review the current Incident Response Plan (IRP) and update it with the necessary requirements from the GDPR and provide training to all employees and staff.

Consent: Consent must be obtained from individuals from which you are collecting data. The GDPR has strict requirements for allowing individuals to opt-in. Before soliciting consent, the user must be informed of their specific rights and parental consent is required if a student is under 16 years of age. Data processing consent forms require explicit action from the user. A checkbox must be deliberately selected by the user and not checked by default. Users can withdraw consent at any time. There are also requirements for providing the identity of those that will have access to the data and how to contact them.

Record keeping: Organizations, or data controllers, must keep a detailed record of all data processing activities.

Right to Access: The GDPR allows for data subjects to be granted certain rights relative to their personal information. Organizations must provide privacy notices ensuring customers know how their information will be used. Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. The individual can also request that the organization provide a copy of the personal data, free of charge, in an electronic format.

Right to be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests. This right is one that often conflicts with the record retention requirements in higher education, and will most likely be disputed.

Data Portability: GDPR also includes a data portability component – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ”commonly used and machine readable format” and have the right to transmit that data to another controller.

Data Protection Policies: Similar to the PCI DSS, the GDPR states that organizations must implement appropriate data protection policies, outlining the technical and organizational measures needed to ensure personal data is protected.

In order to be able to demonstrate compliance with this regulation, organizations are required to adopt internal policies and implement measures minimizing the processing of personal data, pseudonymizing personal data as soon as possible (processing data in such a way that the personal data cannot be attributed to an individual without the use of additional data), and providing transparency with regard to the functions and processing of personal data. Policies and procedures should enable the data subject to monitor the data processing and enable the organization to deploy effective security features to protect all personal information.

The high-level rules for securing personal data are similar to the controls you should already be implementing for PCI, GLBA, FERPA, HIPAA, etc. and should not be unfamiliar.

1. Personal data processed by the organization should be relevant and limited to only what is necessary.
2. Secure all systems used for processing personal data to prevent unauthorized access. Networks and information systems used should be secured to prevent accidental events and malicious actions that compromise the availability, integrity, and confidentiality of stored or transmitted data. The GDPR specifically mentions securing electronic communications networks and protecting them from malicious code distribution.
3. Ensure the period for which the personal data is stored is limited to a strict minimum. Data retention policies should be established and periodically reviewed.

The cardholder information you are protecting within your PCI cardholder data environment (CDE) may be subject to regulation by GDPR, but the security measures required by PCI will also encompass those needed for GDPR. The biggest difference between the PCI DSS and GDPR is that the PCI DSS focuses specifically on protecting card data, while GDPR protects all forms of personal data. While the two requirements are not directly related, organizations can use the strict controls from the DSS to help implement the appropriate technical measures to address GDPR obligations for data protection.

Organizations should consult with their legal teams to understand your organization’s exact responsibilities under GDPR. From a high level, CampusGuard recommends approaching GDPR the same way you would any information security risk assessment. The risk assessment should determine:

• What data is being collected?
• Where is the data being sourced?
• Why is the data collected?
• How is it processed?
• Who has access?
• How long is the data retained?
• Where is the data transferred to?

Non-Compliance
Non-compliance with GDPR does present significant penalties. Failure to comply with the rules could lead to fines of up to 20 million euros ($23,634,000 $USD) or 4% of an organization’s annual revenue, whichever is greater. Right now, it doesn’t appear that regulators will directly audit for GDPR compliance, so organizations will be vulnerable to fines only if there is a breach or if EU citizens file complaints.

Once the May deadline arrives, we will begin to see how strictly GDPR is enforced both in the EU and the US. It may take a few years to see how it will be interpreted and enforced, and most likely adjustments to some of the requirements will be made.

If you would like to discuss how the impending GDPR affects your institution, or learn more about how we can assist with a general information risk assessment to determine if you have the appropriate security controls in place for GDPR, GLBA, FERPA, etc., please don’t hesitate to reach out to us.

Some additional guidance from our Security Advisor Team below:

[Campbell]: Those of a certain age (me) can recall when the original Whac-A-Mole game came out. As we see yet another information security, privacy, and compliance program taxing your already scarce resources, the challenge of keeping up with those moles is the first thing that comes to mind. While you certainly need to ensure that your institution is fully compliant with all relevant programs, if you treat each of them independently it can be both overwhelming and frustrating, like the game.

As discussed in the article, CampusGuard recommends that you leverage existing compliance frameworks and security controls. It’s all about efficiency. For example, perhaps you use NIST SP800-171 to comply with both GLBA and GDPR. There will still be the effort to ensure that you meet unique requirements of a given program, not to mention things like specific State breach notification laws, but one overarching security and compliance framework can address the bulk of the common security controls.