Over the past number of months, the internet has been abuzz with talk of the EU’s new General Data Protection Regulation (GDPR), which is due to come into effect on May 25. The most impactful update to European data protection legislation in 23 years, GDPR promises to have serious implications to the way organizations across a number of industries deal with personal information, and its scope is such that even those not operating in EU states need to be mindful of its requirements.
For schools, getting GDPR-ready is about more than simply fulfilling their legal obligations. In the course of providing education, institutions gather large amounts of sensitive personal information about prospective, current, and past students, and have a responsibility to treat this data with the care it warrants.
In the context of student recruitment, it is also of vital importance that schools earn the trust and confidence of potential applicants by being clear and transparent about what information they are collecting, and why. Keep reading to learn what elements of GDPR you need to keep in mind in your marketing campaigns going forward.
An Overview of the GDPR for Education Professionals
The GDPR is replacing the 1995 Data Protection Directive. Created in the early days of the internet, the regulations in the previous directive have become increasingly archaic as the way data is collected and consumed has evolved in the online age.
The new regulations aim to unify the currently disparate data protection laws across EU member states, and to provide more extensive and enforceable rights to EU citizens in relation to how their data is processed. Recent controversies such as the Cambridge Analytica scandal have shone a light on how internet companies use and protect data, and the new regulations have been widely welcomed by the public.
The regulatory changes set out within the GDPR’s 250+ pages are ambitious and far-reaching, but some of the most pertinent areas for schools include:
Increased Territorial Scope and Applicability
The territorial scope of the Data Protection Directive was ambiguous, referring only to how it applied “in context of an establishment.” This led to a lot of confusion over whether organizations outside the EU or data from EU citizens collected outside its borders fell within the regulations.
The GDPR makes this a lot clearer. In addition to any data collected or processed within the EU, the regulations extend to any information collected from an EU citizen, regardless of where they or the data controller are located.
For schools, this means that any institution with prospective students, current students, alumni, or even employees from the EU needs to comply with the GDPR, essentially making it applicable to the entire education sector.
Example: An information page for Italian students on the University of Oregon website. Going forward, any school looking to recruit EU students like this will have to comply with the GDPR, regardless of where they are based.
Expanded Rights for Data Subjects
In addition to extending the scope of data protection for EU citizens, the GDPR also affords them with far more rights, and makes them more explicitly clear. The regulations enshrine an individual’s right to request to access and amend any data an organization holds about them, and also to make a “request to be forgotten,” compelling data controllers to delete their information.
It also introduces a right to “data portability,’ which means that data controllers must be able to provide an individual with a digital copy of the information they hold which can be easily transferred to any other organization.
In addition, the GDPR introduces far more stringent, explicit requirements for obtaining consent to process personal information. This area is particularly pertinent for schools engaging in education marketing campaigns, and will be covered in more depth later in this blog.
Improved Privacy and Security Protections
The GDPR also enforces increased responsibility on organizations that collect data in relation to its privacy and security. Chief among these obligations is the legal requirement for “Privacy by Design.” In simple terms, this means that organizations collecting data must ensure that the systems they are using are designed to protect data, rather than modified later on. An example of this would be using secure, encrypted software to collect and store student information.
Example: The University of Michigan offers detailed information about how it secures the data it collects in its privacy policy.
Stricter provisions have been put in place for data breaches, too. In the event that any personal data which could pose a risk is compromised, the GDPR makes it mandatory that the individuals in question are notified within 72 hours. Certain organizations will also be required to appoint a Data Protection Officer, whose chief responsibility is to ensure data protection and GDPR compliance. According to digital governance expert Kristina Podnar, this may apply to universities and schools, as it covers any organization deemed to be a ‘public authority.’
Penalties for Non-Compliance
Far from general guidelines or best practices, the terms of the GDPR are intended to be strictly enforced. Organizations found to be in breach can be fined up to €20 million or 4% of their annual global turnover, whichever figure is greater. With the stakes so high, it’s little wonder that professionals in all sectors are anxious to ensure that they are GDPR-ready.
Managing Higher Ed Marketing Consent Under GDPR
As stated earlier, one major way that the GDPR will change the way education marketing campaigns are conducted is in relation to consent. Under the new regulations, any organization looking to process data or contact internet users needs to obtain consent that is “freely given, specific, informed and unambiguous.” It is stated that “silence, pre-ticked boxes or inactivity” do not constitute consent.
Example: A mock-up of correct and incorrect consent approaches from email marketing company Litmus. Pre-ticked boxes have been specifically singled out by the GDPR as insufficient to signal consent.
This means that “soft opt-in” approaches to obtaining consent will no longer be considered valid under the GDPR. Instead, schools looking to process data and contact prospective students need to ensure that they obtain explicit, unambiguous consent. It must be unbundled from any other conditions and require a separate affirmative action from the user to opt in.
Example: The University of Nottingham has updated its online forms to comply with GDPR. Note how the form asks for a clear, affirmative action to gain consent, and inform users of the university’s data collection process, linking to its privacy policy.
Schools should also be mindful of the need to make it simple for users to opt out of receiving communications, and to request access or deletion of their data as per their mandated rights. Including standard unsubscribe links in your emails will probably suffice when it comes to opting out of receiving communications, although it is worth reviewing your mechanisms to make sure they are clear and easy for prospective students to access.
The best method of dealing with requests for access and deletion of data will largely depend on what kind of volume of these queries you expect. Smaller institutions will likely only receive a handful of these requests every so often, and can probably deal with them fairly easily. Simply making it clear on your website and in other marketing materials that prospective students can make these requests by email will likely suffice.
Example: Atlas Language School in Dublin makes it clear in its privacy policy that users can opt out of receiving contact, and request, amend, or delete their data at any time by emailing the school.
Larger schools and universities, on the other hand, may find that they receive hundreds of these requests on a much more frequent basis, particularly in the early days of GDPR implementation as web users become aware of their new rights. Customer Relationship Management (CRM) provider Mautic recommends creating specific “Request to be forgotten” and “Data requested” forms to deal with these queries, and this might be the best approach for larger institutions, allowing admissions teams to segment and organize them in order to ensure they are dealt with promptly.
Updating Your Privacy Policy in Line With GDPR
You may have noticed a flurry of emails from organizations in your inbox in recent weeks regarding updates to their privacy policies. This is the result of new guidelines set out in Article 12 of the GDPR, which mandates that any information relating to the collection of data be presented “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” The provision makes specific mention of the importance of this when dealing with information addressed to a child, making it especially important for schools who may be communicating with minors during their higher ed marketing efforts.
This new emphasis on simplicity and transparency means that your privacy policy is likely to need to be revised, with a view to eliminating any overlong, complex language and ‘legalese.’ Schools should be aiming to create more concise, simple statements which detail what kinds of data they collect and what it is used for in plain, easily understandable terms.
Example: Bournemouth University lays out how it collects and uses data simply in its updated privacy policy.
To accomplish this, your team will need to carefully consider all the possible data sources you have, and any information that you may gather from them. This could include personal data obtained through inquiry and application forms, information obtained through your follow-up contact with prospective students, as well data from any supporting documents you obtain during the application process, such as financial information for scholarship applications and fee payments, or medical information provided by incoming students.
It will also expand beyond your student recruitment activities, and include data and information collected about current students and alumni, such as academic records, medical information, and any other personal data you may acquire during and after their studies. Marketing teams should be sure to coordinate with other departments to ensure that they are including everything they need to.
The GDPR has also expanded the definition of data that is considered personal to take in anonymized data, which would include analytics information gained on specific IP addresses through website interactions, as well as the use of cookies. Pseudonymized data, such as usernames people adopt on websites, are also protected.
Example: Stanford University runs the That’s So Stanford account on Tumblr, a site where users regularly use pseudonymized usernames. The account regularly accepts submissions from students. Under the GDPR, this information would need to be treated with the same care as other personal data.
Schools must also explain clearly how they use data. In marketing terms, this can encompass a broad spectrum of activities, ranging from collecting contact details of prospective students to analyzing data on previous leads to improve your approaches. Again, however, it will also go beyond the remit of your admissions process, and the wider data collection activities of your institution need to be taken into account.
Example: The University of Salford’s privacy policy includes a simple summary of how the school uses personal data.
Your school also needs to explain clearly how long data is stored for, and how it is secured. Being as clear and transparent as possible about this will go a long way towards not only complying with the GDPR, but in fostering the confidence of your audience.
The GDPR also requires data controllers to clearly state whether data is accessed by third parties, or is transferred internationally. Third parties can include any organizations whose marketing or web support tools you use, such as Google Analytics, online advertising platforms, or CRM and marketing automation service providers, so it is important to clearly explain this is in your policy. Most large marketing and web service providers are likely to have already taken steps to get ready for GDPR, so it may be worth investigating the new policies of the services you use for more information on how they secure and safeguard data.
Since many of these companies are based in different locations around the world, it is also likely that your policy will need to include a statement explaining that data may be transferred across international borders, too.
Example: In its privacy policy, The University of Oxford makes it clear that their use of third part contractors may result in data being transferred outside the EEA.
International transfer of data can also encompass anything as small as emailing personal details about a subject to a colleague in another country, so it is likely that almost all schools will need this provision.
Lastly, you will need to introduce new provisions in your privacy policy regarding the expanded rights of data subjects introduced by the GDPR, such as the right to access, amend and delete data, data portability, and easy opt-out and deletion. Again, these should be unambiguous, and provide clear instructions as to how prospects can request to have their rights upheld.
Example: The University of Derby’s privacy policy lists users’ rights in a separate section, and provides a direct link for them to make any requests.
Looking at GDPR Beyond Education Marketing
While this article focuses mainly on GDPR in relation to marketing and student recruitment, it’s worth reiterating that it will have many implications for schools beyond that. Student records, alumni engagement, and even the personal details of staff and faculty all need to be treated in accordance with the new regulations, and the road to compliance needs to be an institution-wide project.
It is also important to keep in mind that this post is merely meant to provide a broad overview of GDPR, and some basic advice for how to approach certain aspects of it. It is not intended to be taken as legal advice, and schools looking to ensure that they are fully compliant with GDPR should seek the expertise of qualified legal professionals.