Over the past number of months, the internet has been abuzz with talk of the EU’s new General Data Protection Regulation (GDPR), which is due to come into effect on May 25. The most impactful update to European data protection legislation in 23 years, GDPR promises to have serious implications to the way organizations across a number of industries deal with personal information, and its scope is such that even those not operating in EU states need to be mindful of its requirements.
For schools, getting GDPR-ready is about more than simply fulfilling their legal obligations. In the course of providing education, institutions gather large amounts of sensitive personal information about prospective, current, and past students, and have a responsibility to treat this data with the care it warrants.
In the context of student recruitment, it is also of vital importance that schools earn the trust and confidence of potential applicants by being clear and transparent about what information they are collecting, and why. Keep reading to learn what elements of GDPR you need to keep in mind in your marketing campaigns going forward.
An Overview of the GDPR for Education Professionals
The GDPR is replacing the 1995 Data Protection Directive. Created in the early days of the internet, the regulations in the previous directive have become increasingly archaic as the way data is collected and consumed has evolved in the online age.
The new regulations aim to unify the currently disparate data protection laws across EU member states, and to provide more extensive and enforceable rights to EU citizens in relation to how their data is processed. Recent controversies such as the Cambridge Analytica scandal have shone a light on how internet companies use and protect data, and the new regulations have been widely welcomed by the public.
The regulatory changes set out within the GDPR’s 250+ pages are ambitious and far-reaching, but some of the most pertinent areas for schools include:
Increased Territorial Scope and Applicability
The territorial scope of the Data Protection Directive was ambiguous, referring only to how it applied “in context of an establishment.” This led to a lot of confusion over whether organizations outside the EU or data from EU citizens collected outside its borders fell within the regulations.
The GDPR makes this a lot clearer. In addition to any data collected or processed within the EU, the regulations extend to any information collected from an EU citizen, regardless of where they or the data controller are located.
For schools, this means that any institution with prospective students, current students, alumni, or even employees from the EU needs to comply with the GDPR, essentially making it applicable to the entire education sector.
Example: An information page for Italian students on the University of Oregon website. Going forward, any school looking to recruit EU students like this will have to comply with the GDPR, regardless of where they are based.
Expanded Rights for Data Subjects
In addition to extending the scope of data protection for EU citizens, the GDPR also affords them with far more rights, and makes them more explicitly clear. The regulations enshrine an individual’s right to request to access and amend any data an organization holds about them, and also to make a “request to be forgotten,” compelling data controllers to delete their information.
It also introduces a right to “data portability,’ which means that data controllers must be able to provide an individual with a digital copy of the information they hold which can be easily transferred to any other organization.
In addition, the GDPR introduces far more stringent, explicit requirements for obtaining consent to process personal information. This area is particularly pertinent for schools engaging in education marketing campaigns, and will be covered in more depth later in this blog.
Improved Privacy and Security Protections
The GDPR also enforces increased responsibility on organizations that collect data in relation to its privacy and security. Chief among these obligations is the legal requirement for “Privacy by Design.” In simple terms, this means that organizations collecting data must ensure that the systems they are using are designed to protect data, rather than modified later on. An example of this would be using secure, encrypted software to collect and store student information.
Stricter provisions have been put in place for data breaches, too. In the event that any personal data which could pose a risk is compromised, the GDPR makes it mandatory that the individuals in question are notified within 72 hours. Certain organizations will also be required to appoint a Data Protection Officer, whose chief responsibility is to ensure data protection and GDPR compliance. According to digital governance expert Kristina Podnar, this may apply to universities and schools, as it covers any organization deemed to be a ‘public authority.’
Penalties for Non-Compliance
Far from general guidelines or best practices, the terms of the GDPR are intended to be strictly enforced. Organizations found to be in breach can be fined up to €20 million or 4% of their annual global turnover, whichever figure is greater. With the stakes so high, it’s little wonder that professionals in all sectors are anxious to ensure that they are GDPR-ready.
Managing Higher Ed Marketing Consent Under GDPR
As stated earlier, one major way that the GDPR will change the way education marketing campaigns are conducted is in relation to consent. Under the new regulations, any organization looking to process data or contact internet users needs to obtain consent that is “freely given, specific, informed and unambiguous.” It is stated that “silence, pre-ticked boxes or inactivity” do not constitute consent.
Example: A mock-up of correct and incorrect consent approaches from email marketing company Litmus. Pre-ticked boxes have been specifically singled out by the GDPR as insufficient to signal consent.
This means that “soft opt-in” approaches to obtaining consent will no longer be considered valid under the GDPR. Instead, schools looking to process data and contact prospective students need to ensure that they obtain explicit, unambiguous consent. It must be unbundled from any other conditions and require a separate affirmative action from the user to opt in.
Schools should also be mindful of the need to make it simple for users to opt out of receiving communications, and to request access or deletion of their data as per their mandated rights. Including standard unsubscribe links in your emails will probably suffice when it comes to opting out of receiving communications, although it is worth reviewing your mechanisms to make sure they are clear and easy for prospective students to access.
The best method of dealing with requests for access and deletion of data will largely depend on what kind of volume of these queries you expect. Smaller institutions will likely only receive a handful of these requests every so often, and can probably deal with them fairly easily. Simply making it clear on your website and in other marketing materials that prospective students can make these requests by email will likely suffice.
Larger schools and universities, on the other hand, may find that they receive hundreds of these requests on a much more frequent basis, particularly in the early days of GDPR implementation as web users become aware of their new rights. Customer Relationship Management (CRM) provider Mautic recommends creating specific “Request to be forgotten” and “Data requested” forms to deal with these queries, and this might be the best approach for larger institutions, allowing admissions teams to segment and organize them in order to ensure they are dealt with promptly.
You may have noticed a flurry of emails from organizations in your inbox in recent weeks regarding updates to their privacy policies. This is the result of new guidelines set out in Article 12 of the GDPR, which mandates that any information relating to the collection of data be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” The provision makes specific mention of the importance of this when dealing with information addressed to a child, making it especially important for schools who may be communicating with minors during their higher ed marketing efforts.
To accomplish this, your team will need to carefully consider all the possible data sources you have, and any information that you may gather from them. This could include personal data obtained through inquiry and application forms, information obtained through your follow-up contact with prospective students, as well data from any supporting documents you obtain during the application process, such as financial information for scholarship applications and fee payments, or medical information provided by incoming students.
It will also expand beyond your student recruitment activities, and include data and information collected about current students and alumni, such as academic records, medical information, and any other personal data you may acquire during and after their studies. Marketing teams should be sure to coordinate with other departments to ensure that they are including everything they need to.
Example: Stanford University runs the That’s So Stanford account on Tumblr, a site where users regularly use pseudonymized usernames. The account regularly accepts submissions from students. Under the GDPR, this information would need to be treated with the same care as other personal data.
Schools must also explain clearly how they use data. In marketing terms, this can encompass a broad spectrum of activities, ranging from collecting contact details of prospective students to analyzing data on previous leads to improve your approaches. Again, however, it will also go beyond the remit of your admissions process, and the wider data collection activities of your institution need to be taken into account.
Your school also needs to explain clearly how long data is stored for, and how it is secured. Being as clear and transparent as possible about this will go a long way towards not only complying with the GDPR, but in fostering the confidence of your audience.
The GDPR also requires data controllers to clearly state whether data is accessed by third parties, or is transferred internationally. Third parties can include any organizations whose marketing or web support tools you use, such as Google Analytics, online advertising platforms, or CRM and marketing automation service providers, so it is important to clearly explain this is in your policy. Most large marketing and web service providers are likely to have already taken steps to get ready for GDPR, so it may be worth investigating the new policies of the services you use for more information on how they secure and safeguard data.
Since many of these companies are based in different locations around the world, it is also likely that your policy will need to include a statement explaining that data may be transferred across international borders, too.
International transfer of data can also encompass anything as small as emailing personal details about a subject to a colleague in another country, so it is likely that almost all schools will need this provision.
Looking at GDPR Beyond Education Marketing
While this article focuses mainly on GDPR in relation to marketing and student recruitment, it’s worth reiterating that it will have many implications for schools beyond that. Student records, alumni engagement, and even the personal details of staff and faculty all need to be treated in accordance with the new regulations, and the road to compliance needs to be an institution-wide project.
It is also important to keep in mind that this post is merely meant to provide a broad overview of GDPR, and some basic advice for how to approach certain aspects of it. It is not intended to be taken as legal advice, and schools looking to ensure that they are fully compliant with GDPR should seek the expertise of qualified legal professionals.