EU General Data Protection Regulation
Higher education websites regularly use online forms, event registrations, pop-up polls, surveys and other devices that capture personally identifiable information. After 25 May 2018 that data could become subject to enhanced European Union (EU) data protection rules.
And, before you leave thinking this news isn’t relevant, one word: Extraterritoriality.
The EU’s General Data Protection Regulation (GDPR) applies to all organisations processing EU citizens’ personal data regardless of where those organisations are located.
University and college websites in the US, Canada, Australia, New Zealand and everywhere else are caught by GDPR. Understanding the degree to which an organisation will be impacted requires site-specific assessment.
If you don’t know how many personal data collection points exist on your websites, what data is being collected, who stores it, or if EU citizens submit their data you should read this article.
This post outlines an exercise that should give higher education organisations enough information to assess the scope and scale of online personal data collection and help institutions or departments in formulating fact-based responses to this regulatory change.
The General Data Protection Regulation updates the EU’s data protection legislation to strengthen consumer privacy rights for EU citizens.
The regulations apply directly to EU organisations, while recognising that personal data may be collected, stored and processed outside the EU. As a result, the regulations protect EU citizens’ personal data regardless of where that data is processed. If this approach seems like overreach it simply mirrors the extraterritoriality of US FATCA regulations impacting banks and financial services firms outside the US.
Higher education institutions outside (and inside) the EU need to analyse how GDPR may affect them.
Why would GDPR affect higher education institutions?
Universities and colleges collect data for a wide variety of purposes. The more comprehensive online data gathering exercises likely revolve around student recruitment and alumni activities and are well understood, well controlled processes.
However, our research shows that ‘typical’ higher education websites (or web estates) have many pages gathering personal data, as visitors sign up for newsletters, register for events or participate in polls and surveys. These data collection points have a much lower profile, are less well documented and may be the principal potential source of GDPR concern.
Generally, forms like these have not collected citizenship information, so no record exists of whether data belongs to EU citizens. In theory, Google Analytics (GA) could be adapted to record an individual’s location data, but that approach still wouldn’t resolve citizenship, just location. And, Google would likely consider this use of GA in violation of its data privacy policies.
Rather than attempting to isolate data for EU citizens, it may be simpler to treat all data as if belongs to EU citizens. This approach could work particularly well whenever data is being passed to hosted email campaign marketing services. In fact, services, such as MailChimp or Constant Contact have already made provision for GDPR in their data handling.
Analysing websites to identify potential GDPR issues
One way of getting to grips with potential issues is by exploring six specific GDPR terms. GDPR applies to:
The intent behind these terms provides insight into potential issues that higher education websites may cause.
Personal data: Any information relating to an identified or identifiable natural person (a data subject) such as names, student numbers, email addresses etc.
In addition, for each form it would be prudent to record the data elements being collected. This exercise provides the base data to understand the scope and scale of any potential personal data collection issues.
Controller: A person or organisation (alone or jointly) determining the purposes and means of processing personal data.
Higher education institutions usually play the role of controller, as many (most?) university and college sub-units use third-party software applications to manage lists and content distribution by email.
As a controller, an institution still acquires responsibilities, but the burden of correctly storing, keeping current and deleting data falls to the processor.
The personal data collection inventory proposed above could be usefully extended to identify all third-party service providers, especially where visitors are taken off-site to hosted landing pages or the equivalent.
Processing: Any operation performed on personal data, such as collecting it, recording it, storing it or disclosing it, etc.
As a processor, an institution acquires data management responsibilities that are probably better suited to dedicated email campaign service providers that can implement process and software changes and share the costs of these over large numbers of customers.
A further refinement to the data collection audit would be to note locations in which personal data appears to being stored on self-hosted databases. If these exist, it may make sense to examine the costs and benefits of moving this data to a dedicated email campaign service or event management solution providers.
Processors: A person or organisation processing personal data on behalf of a controller.
For example, for web pages using MailChimp data collection forms, MailChimp is the processor and the organisation that ‘owns’ the website is the controller. For in-house processed data, the associated higher education institution or its sub-unit is the processor.
See our remarks in the previous section about identifying who is doing what with any personal data that is being collected, particularly where visitors may be taken to off-site landing pages.
Data Subject: An identifiable natural person. In other words, a website visitor who completes an online sign-up, event registration, form, poll or survey by supplying his or her personal data.
In looking at data collection forms on higher education websites, we note that some sites opt for a minimalist email address only, while others pull in additional details. Given the ubiquity of webmail email addresses, these provide few clues about a data subject’s location or citizenship. As a result, we believe it is difficult to segregate personal data captured for EU citizens from that captured for non-EU citizens and therefore not worth the effort.
Consent: A statement or clear affirmative action that’s freely given, specific, informed and unambiguous indicating the data subject's agreement to his or her personal data being processed.
GDPR updates the EU’s data protection legislation and in the process potentially affects organisations outside the European Union. GDPR’s full implications and the roles and responsibilities it places on organisations are beyond the scope of this article.
However, the first step in formulating responses to obligations GDPR may place on higher education institutions gathering personal information via their websites is to audit those sites, identify all the pages on which data collection takes place and the information being gathered. You may be surprised at what you discover.
For more comprehensive information about the implications of GDPR we recommend starting with these two articles: A year to get your act together: how universities and colleges should be preparing for new data regulations and GDPR: A Data Regulation to Watch