43: GDPR Compliance in Higher Education w/ Mark McConahay

ABOUT THIS EPISODE

Mark McConahay, Associate Vice Provost and Registrar at Indiana University – Bloomington and Vice President for Information Technology at AACRAO (The American Association of Collegiate Registrars and Admissions Officers) discusses why colleges and universities should be paying really close attention to the GDPR regulation coming out of the European Union, even outside of international recruitment activities.

I really believe if you take a look atit, all its provisions from our perspective are not so honerous thatyou won't be able to comply, and I don't think it's going to cost you anarm and leg, O cimply you're, listening to enrolment growth,university from helics education, the best professional development podcastfor higher education leaders looking to grow in Romant at their college oruniversity, whether you're looking for fresh and romant growth techniques andstrategies or tools and resources. You've come to the right place. Let'sget into the show, welcome back to Enroman GrowthUniversity, a proud member of the connect Edu podcast network. I MeriGolson avpof marketing at helicks education and we're here today withMark mcconnaughey, associate vice provost and register ared IndianaUniversity Bloomington and the vice president for information technology atACRO. The American Association of Collegiate Registrars and AdmissionsOfficers Mark Welcome the show Hi k a pleasure to be here really excitedatogahy today about why colleges and university should be paying reallyclose attention to the GDPR regulation coming out of the European Union. Butbefore we dig into that market, can you get the listeners a little bit betterunderstanding of both Indiana University and your role there sureIndiana University is a system wide school? I'm a really a member of theflagship campus here in Blooington Indiana Bhut system wide. We have sevencampuses an about a hundred and ten thousand students and and talk a littlebit about your roles. INDIANA. My role is, I am the associate vice poplostbeen register here on the Bloomiton campus, I'm responsible for all of theacademic records guardianship here on our campus in the world that I havehere as well. I'm also responsible for one stop shop financial aid reports tome reporting reports to me all under the ouspices of enrolment management.Therefore, we try and serve all the students polistically and try to drivethem all the way from the time they are...

...recruited until they graduate and theyensure that they're treated well and they can duct all their business atIndiana University as teamlessly as possible. Awesome awesome mark thegeneral data protection regulation. GDPR is a new regulation out of theEuropean Union designed to give eou citizens the right to data orracier theright to opt out of data tracking. Why is this EU law something that USinstitutions need to be aware of? Well, as in all cases, we all, of course, areresponsible for the guardianship and privacy of all student records, whas,really interesting and different about what the GDPR has done and really anupdating of what they did back in. Oh, I think one thousand nine hundred andninety five Wbat they did then was really Al Sort of Ha directive, and nowit's a regulation, it's a true law with real teeth into it. So thus we reallydo have to pay attention to it. The things that are different are reallyone. They really do specify the kinds of things the kinds of right eachindividual datasubpect can have and can in voke should they have a complaint orotherwise wish to basically negate anything that they want to do with therecord now et. Let me be real clear. I think the overall intent at the GDPRwas to an astitance ensure that the individual data subjects had the rightto prevent the dissemination of their electronic information, primarily forthe purposes of marketing for the purposes of at analytics. However, theydid understand, even as they wrote, these kinds of provisions that therewere processes that indeed had to be done by institution to were performinga contratual service with an individual institution. In our case, this ishigher education. If the assemination of knowledge is the assessment of howwell, the student has earned or learned that knowledge, and thus there are somethings that they even recognize in there that are not subject to all ofthe provisions of the GDPR. In essence,...

...what they really want to do is enablethis, the data subject to control who and what happens to their electronicfootprint as it moves on beyond their controls. In other words, it was reallytrying to take this step back primarily. This is only my opinion, primarilyaimed at the googles of the world. In other words, how does that disseminate?What are the downstream consequences of those footprints? God, gotta and somark for institutions who are actively recruiting international students fromEurope. Obviously, understanding whiths in complying with GDPR is a must. Arethere any other use cases that institutions need to consider outsideof international recruitment outside of international recruitment? Sure I thinkthe most obvious one is really onlined education. A lot of US schools,particularly here on Bloomington, have great many online education programs inwhich citizens of Theu are even those residing in the EU territoriesparticipate in if, in fact, theyare consuming those services within the EU,they are likely to be subject to the provisions of the Chif Gd to you, andthus the institutions who are providing those services need to be aware of it.That's another obvious use case, the ones that are a little grayer, thekinds of Dedison areas that you need to pay attention to, or what? If I haveconsorcial relationships with institutions in te EU, in fact, arethey keeping records that might be subject to the provisions of the lawand regulation? What if I have an overseased study program in which I amcollecting information, while they are working or otherwise performing theirservices within Thera? Are We then subject to the provisions of the GDPpar? Those are the kind of things that we really have to pay attention to.Let's get into some of the legal definitions. Can you help us markunderstand the concept of lawful basis, so so under GDPR? When is itappropriate for a college or university...

...to process the student's personal data?If, in fact well this is there are really two kinds of areas there's oneas when necessary, and the other one is with consent when necessary basicallymeans if an individual data subject from the GDPR are from the EU comes inand contracts with an institution to perform services and a set ofoperations that constitute the swet of services that the student hascontracted for are run. That is legal basis. Let me explain by example, and Ithink it's the most obvious one. I think one of the fears of the GDPR isthe invocation of the right to be forgotten and even as you sent me aquestion for this particular podcast, you mentioned well what if one of thestudent is doing poorly in a class and they then reach back and say I invotethe right to be forgotten right for the Hor and, of course, the idea. There isno and that's what I was referring to earlier legal basis. Sas Look, you'veentered into a contract with us, you have paid US money and in turn, we'regoing to provide instruction and we're going to provide in assessment for howwell you've, conserved and earned and learned from that instruction. We needto keep those records permanently and we explain that to you as we enter intothat contract. Thus, that is not one of the rights you can. Invote is the rightto be forgotten, because it is part of that legal basis upon which we haveformed a relationship. So that's the primary reason. We can't do that. Ithink it's worth saying that one somewhat obvious, I think everyone willsay: Yeah Bier A grade and I'e subject to all the the aconemic policies of theinstitution. We understand it. What about other types of records? We mightkeep, though, and I think that's something- that each institution shouldtake a look. Obviously we're keeping an academic record. Were keeping courseswere keeping grades? What about advising case management records arethose subject to the same thing now...

...that can be subject to interpretation?You really need to take a look at those records because someone might come inand say you know that conversation I had with this faculty. Member of thisparticular advisor. I wish that was forgotten and there may be good reasonfor that, but that's a little bit of a Grayer area. Is that really a part ofthat student's record, or rather is it something that contributes to theoverall student record but isn't necessary for us to pulfill ourcontract? You mentioned that this new regulation has a lot more teethcompared to the old guidelines out of the EUR opeanionion. Can you walk usthrough some of the penalties associated with noncompliance, bothfinancial and, in your opinion, just merely reputational? I think it'sreally reputational. You know. I can't speak to the overall, how large the financial penalties willbe they're supposed to be very, very big. I haven't looked into exactly howbig they might be, however, they're substantial- and that's that's the best.I understand from that. I think, even more importantly, number one. All of uswh who deal with student records, understand the role of guardianship,understand the role of privacy and understand the role of security. It isin our best interest to always protect those student records and only disclosethem when it's appropriate for the benefit of the student or for theeducational purpose of the institution. However, in the case of the GDPR, wealso want to be able to especially for those institutions who have afundamental desire to have an international footprint and to wish tohave citizens or nathrals from the EU as part of their student body. Nothingcould be worse than to discover a breach, or perhaps even worse, completeignorance of the GDPR. In other words, no practices, no processes, nopublished guidelines and what they're going to do to protect your electronicprivacy within the GDPR. In matter of fact, I could find that if we 're insuch a competitive situation and we're...

...choosing between institutions- and onesays what is the GTPR and the other one says, no, here's exactly how we'recompliant and how we'v Respond to the GDPR. I can imagine, which particularinstitution that student would attemt interesting ind. Just so, I thinkthat's one of the fundamental dangers, in addition o to the fact that we justdon't want to disclose any things or inappropriately disclosed informationabout any one of. U Any of the students that we that we protect answer absolute,like Anand and financially. Some of the numbersthat I have seen coming across as threats of not compliance are twentyfive million dollars or four percent of annual revenue. Whichever is higher soto your point earlier. It is more likely that the you would come afterBig Salacon Valli gugernauts, like Google, facebook twitter beforecollegees ND universities, but it is a big enough financial threat that welikely need to take it pretty seriously. That's correct- and one thing I wouldadd, is that one of the things that we we lack at this particular point oftime is interpretation Guidn, particularly coming out of the eyoitself. That's exactly how to respond to the provisions of the GDPR, somewhatcircumspectin and is going to be pretty unique to EA institution, at least atthis point mark. What would you say to any hired leaders who were listeningright now? Who are thinking to themselves? Well, I know we're FERPAcompliance, so we're probably gdpar ready as well. I think they really ought to take thesecond book, and I think the most important thing to do is number oneplease understand from where all of your data sources com. In other wordsit may be- you may not even think about it, but you may be receivinginformation from pescore providers from the College Board from any othersources, and they may have mixed within them, students from European Unioncountries and thus subject to the GDPR,...

...and unless you pay attention to him,you may be mind yourself liable to some of its provisions. I also think thatyou really need to pay attention to a couple of the other fundamental pieces. One of the things that gdpr provides usthat you need to have someone who is primarily responsible for the securityof privacy of records really need to pay attention to that having justworking through, and what do I want to say. I think I want to sayacknowledging the need and understanding the provisions of theGDPR will, in my opinion, serve you very, very well. In other words, we hada side conversation right before the podcast, in which we said we don'tthink they're coming after institutions of higrer education first. Nevertheless,if there are a complaint, they certainly will approach them. If youhave an understanding of what the GDPR is, if you have a set of practices,even if they're not exactly as interpreted as the yea, you would, butthere were the best you could do given the time and given the lack of officialguidance coming out of the EU, I think it will serve you well. In other words,they will say: Well you acknowledged it. You tried to be compliant you're wrong.Maybe in these cases fix that, but otherwise no problem. If you choose toignore that, and you get a complaint and you're audited, I think it could bewell be. Well, you completely ignored us we're going to find you we're goingto have findings in this regard and Weithe're going to find you and, at thevery least we're going to out you and if you're outed, some of yourreputation will never be getten back mark. I know you're about to release aa paper with acro about next step. Institution should take from revisitingprivacy policies from revisiting and ensuring that your students haveappropriate apt out mechanisms in your...

...crm in your emails on your websites. Doyou have any next deps advice for institutions looking to better preparefor GDPR yeah? I really do. I think the the first thing you could do is get aworking group, social with that first involving university council, but theninvolving all of those who basically process any kind of Pii personallyidentifiable information. Any one of those people will all understand theirdata scenarios and be able to track their Dato scenarios and understandwhat happens to him once you put all of those people in one place, and youstart to match that with the general provisions of the Gdpr, you thenunderstand one does it apply to us to? How are we going to interpret it andthird, what should our appropriate response be? And I guess to let me giveone more opinion, which is, I think there are two responses out in thehigher red space right now. One is somewhat ignorance or just avoidance;in other words, we don't think it a Pli Tos, I'm just going to ignore it andthe other one is oh, my gosh. I think this is the biggest privacy concern.That's ever hit the world and we have got to push everything into it and Ihonestly don't believe it's in either camp. I really believe if you take alook at it all ot t e provisions from our perspective are not so honerousthat you won't be able to comply, and I don't think it's going to cost you anarm and leg to comply, and I think, from all of those outcomes. It's wellwell worth your effort to try and be in compliance and to write down how youintend to it. Comply Marki can't. Thank you enoughfor your time to day. What's the best place for listeners to connect with youif they haveatme followed questions. Well, if you have any callop questionsfeel free to write Te. My email, that's mccon, Aha, at Indiana Dot Edu. I wouldalso direct you to the acro webpage on the GDPR, which has a it really servesas a traffic cop to many many resources...

...and it really. If you go to APRODOT ORGsignature initiatives, trending topics GDPR, you will find a wealth of resourcesboth describing and actions associated with the gdpr awesome thanks againt. Somuch for joining us today. Mark You bet my pleasure for to be here attractingtoday's new post. Traditional learners means adopting new enrolmant strategies.Heliks educations data driven enterprise, wide approach to enrollmentgrowth is uniquely helping colleges and universities thrive in this neweducation, landscape and Helix has just published the second edition of theirenrollment growth playbook, with fifty percent brand new content on howinstitutions can solve today's most pressing enromant growth challengesdownload it today for free at Helock's, Educationcom playbook you've been listening to enromentgrowth university from helics education to ensure that you never miss anepisode subscribe to the show in Itunes or your favorite podcast player. Thankyou so much for listening until next time.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (217)