A month into implementation, how is your institution handling the EU's General Data Protection Regulation (GDPR)? For many institutions, there are more questions than answers, in part because the EU has not provided clearcut guidance regarding how to interpret the regulation.
“For most institutions, the first question is: does GDPR apply to us?” said AACRAO Vice President for IT Mark McConahay. “The answer depends on the nature of your student population and how you engage with that population -- if you use tools like CRM or digital tracking, if you actively recruit EU students, and so on.”
McConahay observes that there are “a lot of gray areas” regarding the GDPR. “The exact set of actions are unclear and at the discretion of individual institutions,” he said.
Institutional analysis
Along with AACRAO International Associate Director Julia Funaki, McConahay worked with a handful of other higher education stakeholders to produce the GDPR Interassociaiton Guide, which provides practical guidelines as to how institutions should perform their internal GDPR risk analysis, and what kinds of actions they may consider based on that analysis.
McConahay, Associate Vice Provost and Registrar at Indiana University, noted that the GDPR discussion at his institution involved the University Council, Chief Privacy Officer, and representatives from IT and chief processing stakeholders (including the offices of the Registrar, Bursar, Financial Aid, Admissions, and Online Education).
“We met in various combinations to discuss how to identify and follow all of the data paths that were associated with the students that we recruit and for whom we receive applications who ultimately enroll,” McConahay said. “We have three primary areas of discussion regarding student records at IU: pre-enrollment, enrollment, and post-enrollment. For each of these populations, we need to ask what is our relationship to GDPR.”
At IU, those populations are then divided into three categories: students who consume services domestically, students who are part of an overseas study or consortia that resides in EU, and students who participate in online education.
“Each category has distinct nuances that provide different interpretations about how and when GDPR is applied and what actions results from those conclusions,” McConahay said.
GDPR guidance
McConahay and Funaki are offering both a
live, free GDPR webinar and also targeted sessions at the upcoming
AACRAO Technology and Transfer Conference to hold a dialogue with members who would like to better understand how GDPR implementation might affect their campuses.
The Thursday, July 12 webinar will examine the first six weeks of implementation and address areas of greatest concern, as well as cover the primary recommendations of the GDPR Guide. McConahay will also discuss IU’s process -- how groups are divided based on student engagement, what populations are considered, what provisions of the GDPR are germane to those groups, and what potential actions IU will consider based upon that analysis. This informative session will also be held at the 2018 AACRAO Technology and Transfer Conference, and Funaki will also lead a roundtable discussion on GDPR.