March 20, 2024

Last Updated on April 16, 2024

Lately been having a lot more conversations with colleges and universities regarding data privacy regulations like the EU’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and other US state-level and international data privacy regulations.

This makes sense because multiple intersecting trends make protecting student and employee personal data a major concern in higher ed:

  • The EU has refined its GDPR enforcement strategy and has initiated over 40 enforcement actions against higher education institutions (HEIs) in EU countries and the UK.
  • More and more US states (14 so far, with 5 more coming in 2024) and national governments (e.g., Brazil, China) have enacted or will soon enact comprehensive data privacy legislation similar to GDPR.
  • Students, their parents, and US citizens in general are increasingly aware of their privacy rights and concerned about widespread threats to their personal data.

With pressure mounting from both regulators and the public, US colleges and universities must move decisively to ensure their data collection and sharing processes protect personal data and meet foundational privacy requirements. Schools also need to understand how privacy laws intersect with other applicable US laws like HIPAA, PCI DSS, and FERPA.


Does GDPR, etc. apply to US universities?

GDPR applies to any organization that processes the personal data of EU citizens. This means that any US institution of higher education (IHE) that has students, alumni, and/or applications from the EU, and/or conducts research involving EU citizens, must comply with GDPR requirements. With various caveats for how much data you have, the same applies to most international and US state-level privacy laws.

While IHEs represent a small percentage of GDPR enforcement actions to date, the potential for fines is significant and growing—especially for severe violations that result in data breaches or lead to complaints. GDPR non-compliance penalties can reach €20 million or 4% of total global revenue for the prior fiscal year.

Beyond the financial and reputational risks of noncompliance, a strong privacy program is essential for maintaining trust and safeguarding the personal data of students, faculty, and staff. Perhaps more than most organizations, an IHE’s commitment to privacy and data protection can impact its reputation for better or worse.


Basic privacy requirements for IHEs

Compliance with a comprehensive privacy framework like GDPR or CPRA requires a holistic approach to data protection that includes robust data governance practices, policies, and procedures reaching into every area of your diverse institution.

These are the core privacy principles common to many privacy laws, which all a university’s digital interactions should reflect:

  • Lawfulness, fairness, and transparency.
    You must process personal data lawfully, fairly, and in a transparent manner relative to each data subject.
  • Purpose limitation.
    Do not further process data collected for specific, explicit, and legitimate proposes in any manner that is incompatible with those purposes.
  • Data minimization.
    Collect and process only data that is necessary for the purposes for which you collected and processed it. Personal data should be accurate and, where necessary, kept up to date. All reasonable steps must be taken to ensure that inaccurate data is erased or rectified in a timely manner, consistent with the pruposes for which it is processed.
  • Storage limitations.
    Keep personal data in a form that permits identification of data subjects for no longer than is necessary for the purposes for which you collected and processed it.
  • Integrity and confidentiality (security functions).
    You must process personal data in a manner that ensures appropriate data security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Your institution as the data controller is responsible for and must be able to demonstrate compliance with privacy principles and requirements.
  • Consent mechanisms.
    You must obtain “freely given, specific, informed, and unambiguous” consent from individuals before processing their personal data, and support the ability for individuals to withdraw consent at any time.
  • Data Protection Officer.
    Your institution must appoint a Data Protection Officer (DPO) if it is: a) A public authority or body; b) processes data from regular, systematic, and large-scale monitoring of data subjects; or c) processes special categories of personal data related to criminal offenses on a large scale. DPOs or virtual DPOs are also recommended in many other contexts (see below).
  • Data breach notification.
    You must notify the appropriate data protection authorities within 72 hours of discovering a data breach. You may also need to notify the impacted data subjects in a timely manner.
  • Data Protection Impact Assessments.
    You must conduct a data protection impact assessment (DPIA) before initiating data processing operations that are likely to put the privacy rights and freedoms of individuals at high risk. Such operations include profiling, massive processing of sensitive data, and systematic monitoring of public areas.
  • Data subject rights.
    You must have mechanisms in place for data subjects to exercise their privacy rights. These can include the right to access, correct, delete, or restrict processing of their data, various rights related to automated profiling and decision-making, and more.


The role of information security in data privacy

It’s axiomatic that you can have security without privacy but not the other way around.

The two disciplines interrelate extensively, but have traditionally involved separate organizational roles and governance. Yet as more and more organizations build out privacy programs on top of their information security controls, does it now make sense to merge privacy and information security?

A more practical approach for most IHEs is to view the two disciplines holistically while respecting their different focus areas (e.g., security risks versus privacy rights). This is especially helpful in university environments, which must implement security and privacy across diverse groups from students to faculty to campus police to health services to research labs to alumni organizations to sports organizations, and so on.

Privacy compliance takes more than just solid data protection controls. To support individuals’ privacy rights you need to know what personal data you have, whose data you have, where it resides, how you collect it, why you collect it, how you process and share it, how long you can keep it, and more.


3 starting points to prepare for privacy compliance

If your organization has been waiting to address privacy compliance now is the time to begin. The effort is likely to be complex and ongoing. Following are 3 best-practice starting points to build the foundation for a successful privacy program:

  1. Map your data.
    What personal data do you have today? What personal data are you currently acquiring, and from where? Why are you processing it? Who has access to it? Answering these questions will guide your data mapping activities. Data mapping is essential to support multiple privacy requirements noted above, including accountability, data minimization, and data subject rights.
  2. Assign a DPO or virtual DPO even if you aren’t required to do so.
    As privacy concerns increase in importance, a specialist who can advise in an objective way on privacy compliance, interface with senior leadership, regulators, legal counsel, etc., and demonstrate your commitment to privacy can be an enormously valuable asset.
  3. Focus on upholding privacy rights.
    At the heart of GDPR, CCPA, and other privacy legislation is giving data subjects more control over their personal data. Safeguarding these rights in every aspect of your data processing operations will build your reputation and significantly reduce compliance risk. Thinking about these challenges from the start is key to ensuring that you can honor privacy rights efficiently and effectively.

Wherever your institution’s current privacy and data protection posture, the compliance stakes are high. Fines and reputational damage in the aftermath of a data breach could be far more costly than implementing a best-practice privacy program. Compliance is also essential for engaging with students and others from around the US and the world.

Making a strong initial effort now toward privacy compliance will pay large dividends well into the future.


What’s next?

If you have questions about privacy compliance, or need help with initiating or operationalizing your privacy program, CBIZ Pivot Point Security is here to help. Contact us to connect with a privacy compliance expert.