GDPR & Higher Ed

The General Data Protection Regulation (GDPR) takes effect on May 25, 2018 and many higher education institutions are wondering how this is going to impact their business practices, recruitment strategies, and ability to communicate with current and prospective students.

In case you missed it, we hosted a webinar with Kennedy & Company consultants Mickey Baines and Lauren Arimoto, and James Koons, senior privacy consultant from TrustArc, discussing the GDPR, why it’s relevant to higher ed, and how colleges and universities of all shapes and sizes can begin thinking about the steps to compliance.

At a high level, the goal of the GDPR is to provide EU citizens and residents more control over their personal data and how it’s being used. It also tightens the extent to which institutions must gain a prospective student’s consent to begin and maintain communication with them. This regulation will impact institutions that interact with EU resident or citizen data in any way – this could be through direct contact with students, prospects, alumni or faculty residing in the EU; it even includes students that participate in study abroad programs in EU countries.

The high-level summary of steps to compliance discussed in the webinar includes:

  • Don’t lean solely on FERPA for compliance with GDPR. These are separate regulations and FERPA compliance does not necessarily mean GDPR compliance.
  • Audit all website forms and data tracking/processing to ensure proper compliance with GDPR.
  • Ensure third party vendors and purchased list providers are documenting and providing proof of compliance with GDPR.
  • Update communication plans across your institution to comply with GDPR policies.
  • Ensure someone at your institution is working with your legal team to become compliant institution-wide.

For more information on how GDPR affects higher ed, you can view the full webinar recording and Q&A with participating institutions here.


Interested in digging in deeper on your own? You can also find the full text of the General Data Protection Regulation in an easy-to-navigate format here.