General Data Protection Regulation: What International Educators Need to Know

Wednesday, May 30, 2018

Jason Baumgartner, Director for Information Services, University of Indiana –Bloomington

Sandra Casey, Deputy Counsel, The State University of New York

Erica Lutes, Executive Director, Fulbright Commission, Belgium & Luxembourg

Caroline Donovan White, Senior Director, Education Abroad Services, NAFSA: Association of International Educators

2

Presenters

Overview Why should you care?

Risk Assessment

Case scenarios -Interactive discussion

Framing questions

How has your

institution prepared?

Q&A

3

Overview

4

Overview of GDPR

Overview of GDPR

5

General Data Protection Regulation (GDPR) was adopted by European Commission in order to strengthen and unify data protection for all individuals within the European Union

Came into effect on May 25, 2018

Key changes in GDPR include:• Extended jurisdiction with extra-territorial

applicability• Penalties for non-compliance• Stronger conditions for seeking informed,

explicit consent• Additional rights for data subjects, including

mandatory data breach notification, data erasure (“right to be forgotten”), and privacy by design

Key Terms

Personal Data

Sensitive Personal

Data

Data Controller

Data Processor

Data Subject

6

Key Terms

Fairness & Transparency

Purpose Limitation

Data Minimization Accuracy

Storage Limitation

Integrity & Confidentiality Accountability

7

Key Principles

Why should you care?

8

Risks

Fines

Breach notification

laws

Greater scope for actions

from individuals

Reputational harm

9

Risks of Non-Compliance

Risk Assessment

10

• Stakeholders• GDPR working

group

Who needs to

be involved?

• Identification of populations/units affected

• Existing policies

• Examine business processes

What does the group need to

consider?

Procedures/practices for compliance

Recom-mendations

• Strategies for rollout

• CostsImplement

ation

11

Risk Assessment and First Steps

Case Scenarios –Interactive Discussion

12

International Enrollment

Management (IEM)

Education Abroad (EA)

International Student & Scholar Services (ISSS)

13

Case Scenarios

A recruitment staff person employed by University X, solely established in Nebraska, attends a recruitment fair in Spain and collects information (inquiry cards) from attendees of the fair who express an interest in attending University X. Upon returning to University X, recruitment staff inputs data from the cards into the CRM, and University X uses that information for future outreach campaigns. Does your institution consider this area to be subject to GDPR? How does GDPR apply at your institution?

14

International Enrollment Management

University X student attends a study abroad or internship program in an EU country with a consortia arrangement with an EU School. Student attends for a semester, pays fees at home institution. EU school has final decision on admission. Student completes work in European, with student academic transmitted to University X. EU records are maintained at only as source documents. Does your institution consider this area to be subject to GDPR? What are the GDPR requirements, if any?

15

Education Abroad

Jose from Spain did not have a good semester as an F-1 student at University X. He withdraws from the University and returns to Spain. After a year, he emails the ISSS office to request that his record be erased as his GDPR right to be forgotten. As part of record keeping and compliance, ISSS reports required data to DHS’s Student and Exchange Visitor Program (SEVP) through SEVIS (Student and Exchange Visitor Information System). Does your institution consider this area to be subject to GDPR? How does GDPR apply at your institution?

16

International Student and Scholar Services

Framing Questions

17

Questions

What data do

we handle?

Where does it come from?

How is it being

processed?

Why is it being

collected?

How and where is

data stored?

Who has

access?

18

Framing Questions

How has your Institution prepared?

19

1. Raise awareness of GDPR within your organization by offering training sessions for staff, sending out webinars/presentations, etc. and appointing a data protection officer

2. Appoint DPO or allocate responsibilities for data protection issues within the organization

3. Create GDPR Compliance Program to keep track of your efforts ("gap analysis", to what extent is my organization compliant?)

4. Engage in data mapping to create data register that identifies the personal data you process (including the legal basis for this processing)

5. Contact service providers to update existing contract and undertake necessary IT measures (e.g., working with IT consultant to ensure password-protected computers, firewalls on WiFinetworks)

6. Create/update privacy notices, notifications, and consent forms and determine when and by whom these notices will be received and signed

20

Implementation

Case study:Fulbright commission in Brussels

Began working on GDPR with legal counsel in December 2017; several meetings in order for ED to understand ins/outs of GDPR compliance requirements and for lawyer to understand ins/outs of Fulbright Commission

Contacted contractors (e.g., accounting, IT) to update contracts and inquire about GDPR compliance in December 2017

Provided GDPR training to staff members in January 2018

Finalized data protection notice, guide, and consent forms and distributed them to staff and sub-processors in March 2018 (with deadline by which to sign and return)

Began distributing data protection notices to American and European Fulbright grantees along with (updated) Terms of Award in April 2018

EXAMPLE:FULBRIGHT BRUSSELS

Sample GDPR timeline:foreign students/scholarsWHEN WHAT WHO

December 1 Fulbright Commission downloads applications from Embark

Early December

Fulbright Commission sends confirmation email to every applicant, containing:• Confirmation that application is complete (or request for missing information)• Summary of application timeline• Data protection notice (signature not required at this time)

All applicants

Late January Fulbright Commission obliges all applicants invited to interview to sign additional consent form + data protection notice

Top‐ranked applicants invited for interview

Early March Fulbright Commission obliges all selected grantees to sign Fulbright Terms of Award + IIE Terms & Conditions All grantees

During/after Fulbright grant

Fulbright Commission updates consent form as needed for additional use of personal data (e.g., interviewing grantees for Fulbright YouTube Channel) Select grantees

EXAMPLE:FULBRIGHT BRUSSELS

Example: EU individual (physically located in the EU) applying to a United States institution to become a student in the United States.

1. Information Transmitted from EU resident to US institution – i.e., application for admission (student physically in the EU)

2. Information Gathered from EU resident while a student at institution (student physically in the US)

3. Information Gathered or Retained from EU resident after termination of association with US institution– e.g., alumni activities, job placement assistance (student physically in the EU)

Generally, buckets 1 and 3 are covered by GDPR but bucket 2 is not, unless data bleeds over into bucket 3.

*** Even if data is protected by GDPR, the data subject does not have a right to request to remove data that is maintained for a business necessity.

23

Buckets of Data and Effect of GDPR

When consent is needed?

Notice & consent may be warranted under the GDPR for such items as:

In-person recruitment events

Targeted online recruitment activity

Some schools are including consent at the point of application

If you are considering a consent statement we recommend:

Making sure the data is subject to GDPR and no other “lawful basis” exists for processing the data

Verify the need and language with your legal counsel for any consent notice

24

Consent

Q&A

25

NAFSA: www.nafsa.org/gdpr, includes link to the AACRAO, NACAC, NACUA AACRAO, NACAC, NACUA et al new resource: Interassociational Guide: Implications of the General Data Protection Regulation.

Articles and Recitals of the EU GDPR https://gdpr-info.eu/

AACRAO http://www.aacrao.org/resources/trending-topics/gdpr

CASE

• Currents article on GDPR considerations for advancement offices http://www.case.org/currents/the-key-to-understanding-gdpr?_zl=CmrL4&_zs=HqSME1

• GDPR Resource page (CASE member login required) www.case.org/gdpr

EDUCAUSE

• All EDUCAUSE GDPR resources and links to other helpful resources can be found here:https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr (keep scrolling on the page for all relevant resources)

• Article by EDUCAUSE’s Joanna Grama for College and University Professional Association for Human Resources on the GDPR https://www.cupahr.org/data-privacy-gdpr/

26

Resources

Jason Baumgartner (jlbaumga@indiana.edu)

Sandra Casey (Sandra.Casey@suny.edu)

Erica Lutes (erica@fulbright.be)

Caroline Donovan White (carolinedw@nafsa.org)

27

Thanks again to our presenters!

28

Please complete

this session evaluation

NOW!Or FAVORITE nowand EVALUATE later!