43: GDPR Compliance in Higher Education w/ Mark McConahay

ABOUT THIS EPISODE

Mark McConahay, Associate Vice Provost and Registrar at Indiana University – Bloomington and Vice President for Information Technology at AACRAO (The American Association of Collegiate Registrars and Admissions Officers) discusses why colleges and universities should be paying really close attention to the GDPR regulation coming out of the European Union, even outside of international recruitment activities.

I really believe if you take a look at it, all its provisions from our perspective, are not so onerous that you won't be able to comply, and I don't think it's going to cost you an arm and leg to comply. You're listening to enrollment growth university from Helix Education, the best professional development podcast for higher education leaders looking to grow enrollment at their college or university. Whether you're looking for fresh enrollment growth techniques and strategies or tools and resources, you've come to the right place. Let's get into the show. Welcome back to enrollment growth university, a proud member of the connect ETU podcast network. I'm Eric Olson, AVP of marketing at Helix Education, and we're here today with Mark mcconaughey, associate vice provost and Registrart Indiana University Bloomington, and the vice president for information technology at Acro, the American Association of Collegiate Registrars and admissions officers. Mark, welcome to the show, the pleasure to be here. Really excited to talk with you today about why colleges and universities should be paying really close attention to the GDPR regulation coming out of the European Union. But before we dig into that market, can you give the listeners a little bit better understanding of both Indiana University and your role there? Sure, Indiana University as a system. While at school I'm really a member of the flagship campus here in Bloomington Indiana. That system wide we have a seven campuses and about a hundred and tenzero students. And talk a little bit about your role Indiana. My role is I am the associate bised probost and registrar here on the Bloomington campus. I'm responsible for all of the academic records guardianship here on our campus. In the role that I have here as well, I'm also responsible for a onestop shop. Financial aid reports to me, reporting reports to me, all under the auspices of enrollment management. Therefore, we try and serve all the students holistically and try to drive them all the way from the...

...time they are recruited until they graduate, and they ensure that they're treated well and they can duct all their business at Indiana University as seamlessly as possible. Awesome, awesome. Mark. The general data protection regulation, GDP are, is a new regulation out of the European Union designed to give EU citizens the rights to data a Rasure, the right to opt out of data tracking. Why is this EU law something that US institutions need to be aware of? Well, as, in all cases, we all, of course, are responsible for the guardianship and privacy of all student records. Once really interesting and different about what the GDP are is done and really an updating of what they did back in, Oh, I think, one thousand nine hundred and ninety five. But they did then was really Alwa, sort of a directive, and now it's a regulation. It's a true law with real teeth into it. So thus we really do have to pay attention to it. The things that are different are really one, they really do specify the kinds of things, the kinds of right each individual data subject can have and can invoke should they have a complaint or otherwise wish to basically negate anything that they want to do with the record. Now. Yet let me be real clear. I think the overall intent of the GDP are was to an aspens ensure that the individual data subjects had the right to prevent the dissemination of their electronic information, primarily for the purposes of marketing, for the purposes of data analytics. However, they did understand, even as they wrote these kinds of provisions, that there were processes that indeed had to be done by institutions who were performing a contractual service with an individual institution. In our case, this is higher education, is dissemination of knowledge, is the assessment of how well the student has earned or learned that knowledge, and thus there are some things that they even recognize in there that are not subject to all of the provisions of the GDP...

...are in essence, what they really want to do is enable this the data subject to control who and what happens to their electronic footprint as it moves on beyond their controls? In other words, it was really trying to take this step back. Primarily, this is only my opinion, primarily aimed at the googles of the world. In other words, how does that disseminate? What are the downstream consequences at those footprints? Got It, got it, and so mark. For institutions who are actively recruiting international students from Europe, obviously understanding within complying with GDP are as a must. Are there any other use cases that institutions need to consider outside of international recruitment outside of international recruitment. Sure, I think the most obvious one is really online education. A lot of US schools, particularly here on Bloomington, have a great many online education programs in which citizens of the EU, are even those residing in the EU territories, participate in if, in fact, they are consuming those services within the EU, they are likely to be subject to the provisions of the G Gdpu, and thus the institutions who are providing those services need to be aware of it. That's another obvious use case. The ones that are a little grayer, the kinds of data scenarios that you need to pay attention to are, what if I have consocial relationships with institutions in in the EU? In fact, are they keeping records that might be subject to the provisions of the law and regulation? What if I have an overseas study program in which I am collecting information while they are working or otherwise performing their services within the EU? You are, we then subject to the provisions of the GDP ke are those are the kind of things that we really have to pay attention to. Let's get into some of the legal definitions. Can you help us mark understand the concept of lawful basis. So so, under GDP are, when is it appropriate for a college or university to process the students personal data if,...

...in fact, well, this is there are really two kinds of areas. There's one is when necessary and the other one is with consent. When necessary. Basically means if an individual data subject from the GDP are are from the EU, it comes in and contracts with an institution to perform services and the set of operations that constitute the suite of services that the student has contracted for. Our run, that is legal basis. Let me explain by example, and I think it's the most obvious one. I think one of the fears of the GDP are is the indication of the right to be forgotten. And even as you sent me a question for this particular podcast, you mentioned, well, what if? What if the student is doing poorly in a class and they then reach back and say I invoke the right to be forgotten. Right for the source and of course, the idea. There is no and that's what I was referring to earlier. Legal Basis as look, you've entered into a contract with us, you have paid US money and in turn we're going to provide instruction and we're going to provide in assessment for how well you've concerned and earned and learned from that instruction. We need to keep those records permanently and we explain that to you as we enter into that contract. Thus, that is not one of the rights you can invoke, is the right to be forgotten, because it is part of that legal basis upon which we have formed a relationship. So that's the primary reason we can't do that. I think it's worth saying. That one somewhat obvious. I think everyone will say, yeah, by in a grade and I've subject to all the the Aconomic policies of the institution. We understand that. What about other types of records we might keep, though, and I think that's something that each institution should take a look obviously we're keeping an academic record, we're keeping courses, we're keeping grades. What about advising case management records? Are Those subject to the same thing? Well, that can be subject to interpretation. You really...

...need to take a look at those records because someone might come in and say, you know, that conversation I had with this faculty number, with this particular advisor, I wish that was forgotten and there may be good reason for that, but that's a little bit of a Grayer area. Is that really a part of that students record, or rather, is it something that contributes to the overall student record but isn't necessary for us to fulfill our contract? You mentioned that this new regulation has a lot more teeth compared to the old guidelines out of the European Union. Can you walk us through some of the penalties associated with noncompliance, both financial and the in your opinion, just merely reputational? I think it's really reputational. You know, I can't speak to the overall how large the financial penalties will be. They're supposed to be very, very big. I haven't looked into exactly how big they might be. However, their substantial and that's that's the best I understand from it. I think, even more importantly, number one, all of us who deal with student records understand the role of guardianship, understand the role of privacy and understand the role of security. It is in our best interest to always protect those student records and only disclose them when it's appropriate for the benefit of the student or for the educational purpose of the institution. However, in the case of the GDP are. We also want to be able to especially for those institutions who have a fundamental desire to have an international footprint and to wish to have citizens or naturals from the EU as part of their student body. Nothing could be worse than to discover a breach or, perhaps even worse, complete ignorance of the GDP are. In other words, no practice is, no processes, no published guidelines on what they're going to do to protect your electronic privacy within the GDP are. In matter of fact, I could find that if...

...we're in such a competitive situation and we're choosing between institutions and one says what is the GDP are and the other one says no, here's exactly how we're compliant and how we've responded to the GDP are, I can imagine which particular institution that student with a ten interesting interesting so I think that's one of the fundamental dangerous in addition to the fact that we just don't want to disclose anythings or inappropriately disclosed information about any one of any of the students that we that we protect. Answer absolutely like and ate and financially some of the numbers that I have seen coming across as threats of noncompliance are twenty five million dollars or four percent of annual revenue, whichever is higher. So it's your point earlier. It is more likely that the you would come after big silicon valley juggernots like Google, facebook twitter before colleges and universities, but it is a big enough financial threat that we likely need to take a pretty seriously. That's correct, and one thing I would add is that one of the things that we lack at this particular point of time is interpretation guidance, particularly coming out of the EU itself. That's exactly how to respond to the provisions of the GDP are somewhat circumspect and and is going to be pretty unique to each institution, at least at this point mark. What would you say to any higher leaders who are listening right now who are thinking of themselves? Well, I know we're ferb a compliance, so we're probably GDP are ready as well. I think they really ought to take a second look and I think the most important thing to do is number one, please understand from where all of your data sources come. In other words, it may be you may not even think about it, but you may be receiving information from score providers, from the College Board, from any other sources, and they may have mixed within them students from European Union countries and thus subject to the GDP are, and unless...

...you pay attention to them, you maybe find yourself liable to some of its provisions. I also think that you really need to pay attention to a couple of the other fundamental pieces. One of the things that GDP are provides us that you need to have someone who is primarily responsible for the security and privacy of records. Really need to pay attention to that. Having just working through and what do I want to say, I think I want to say acknowledging the need and understanding the provisions of the GDP are will, in my opinion, serve you very, very well. In other words, we had a side conversation right before the podcast in which we said we don't think they're coming after institutions of higher education first. Nevertheless, if there are complaints, they certainly will approach them. If you have have an understanding of what the GDP are is, if you have a set of practices, even if they're not exactly as interpreted as the you would but they were the best you could do given the time and given the lack of official guidance coming out of the EU. I think it will serve you well. In other words, they will say, well, you acknowledged it, you tried to be compliant. You're wrong. Maybe in these cases fix that, but otherwise no problem. If you choose to ignore that and you get a complaint and your audited, I think you could be well be well, you completely ignored us. We're going to find you, we're going to have findings in this regard and Wei they're going to find you and at the very least we're going to outue and if you're out it, some of your reputation will never be getting back. Mark, I know you're about to release a paper with acro about next steps in students should take from revisiting privacy policies, from revisiting and ensuring that your students...

...have appropriate opt out mechanisms in your crm, in your emails, on your websites. Do you have any next steps advice for institutions looking too better prepare for GDP are? Yeah, I really do. I think the first thing you could do is get a working group Sociald with that first involving university council, but then involving all of those who basically process any kind of PII, personally identifiable and from nation. Any of one of those people will all understand their data scenarios and be able to track their data scenarios and understand what happens to him. Once you put all of those people in one place and you start to match that with the general provisions of the GDP, are you then understand? One, does it apply to us? To how are we going to interpret it? And, third, what should our appropriate response be? And I guess to let me give one more opinion, which is I think there are two responses out in the Higher Ed Space Right now. One is somewhat ignorance or just avoidance, in other words, we don't think it applies to us, I'm just going to ignore it, and the other one is, oh my gosh, I think this is the biggest privacy concern that's ever hit the world and we have got to push everything into it. And I honestly don't believe it's in either. Can I really believe, if you take a look at it all its provisions from our perspective, or not so onerous, that you won't be able to comply and I don't think it's going to cost you an arm and a leg to comply. And I think from all of those outcomes it's well well worth your effort to try and be in compliance and to write down how you intend to it comply. Mark, I can't thank you enough for your time today. What's the best place for listeners to connect with you if they have any followed questions? Well, if you have any followup questions, feel free to write me at my email. That's mcco Naha at Indiana dot to you. I would also direct you to the Acro web page on the GDPR, which has a it really serves as a traffic...

...cop that many, many resources, and it really if you go to acro Dot Org signature initiatives, trending topics GDP are, you will find wealth of resources both describing and actions associated with the GDP. Are Awesome. Thanks against so much for joining us today, mark. You Bet my pleasure to be here. Attracting today's new post traditional learners means adopting new enrollment strategies. Helix educations. Data driven enterprise wide approach to enrollment growth is uniquely helping colleges and universities thrive in this new education landscape, and Helix has just published the second edition of their enrollment growth playbook with fifty percent brand new content on how institutions can solve today's most pressing enrollment growth challenges. Downloaded today for free at Helix Educationcom. Slash playbook. You've been listening to enrollment growth university from Helix Education. To ensure that you never miss an episode, subscribe to the shown itunes or your favorite podcast player. Thank you so much for listening. Until next time,.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (253)