A catalyst for change: higher education’s response to GDPR 

Last month, our UK accountants told me they could no longer receive our financial documents via email – as it wouldn’t be considered secure under the new GDPR (General Data Protection Regulation) requirements.

It was a timely reminder of just how far-reaching the consequences of this single, robust legislation will be. And if you’re still questioning the need to re-think the use of email, just remember the last time you were sent an email in error – or hit send too quickly yourself.

For our accountant, a secure portal is the only answer. And higher education institutions and their agents should probably follow suit.

Yes, you will need to comply with GDPR

Even if your institution doesn’t physically operate within the European Union (EU), it will be affected by GDPR. If you have employees (academic or support staff), students, prospective students, alumni donors, or research grants from EU countries –  you are holding data about EU citizens. And as of May 25 2018, the way you control and process that data is now subject to some simple, solid principles.

At StudyLink, we’re approaching GDPR as a great opportunity to review our data management and capture processes. I want to ensure we meet this new global benchmark for best practice, because any organisation that is serious about protecting personal data should.

Over the past 20 years, individuals have consciously or unconsciously shared enormous amounts of personal (often highly sensitive and identifying) data with an ever-increasing number of tech platforms. We all know just how valuable that data is. This is the first time organisations have received serious and transparent guidelines on how to handle their responsibility for that data. And the first time people have been overtly given control over the information they share.

Re-thinking systems and processes

GDPR replaces 28 different data protection laws in place across Europe. And its guiding principles are simple: if you’re going to capture someone’s data, tell them clearly what you’ll use it for, make sure they understand what they are agreeing to, and then ensure you protect their information. 

However, the legacy systems that currently manage these processes – and the sheer volume of data we collect – make this a complex and challenging task. So many procedures and policies aren’t compliant, needing a laser-focus redesign that puts privacy first – and meets requirements for every aspect of data management and processing.  

Data is also constantly moving across global borders. Knowing where it is stored can be a challenge, which is why agents need to be mindful of the data sharing agreements they are already being asked to sign. 

Key changes you need to know

You can no longer rely on implied consent to collect, use and share data. So it’s essential to review your privacy policies and consent forms. This may mean re-wording key parts of university admissions forms.

For example, if you have a partner pathway college, the applicant will need to answer the specific question: ‘If you don’t meet our entry requirements, do you agree for us to pass your information to (that college)?’ You’ll also need to ask for explicit permission to contact them through each channel, whether that’s email, phone, mail or StudyLink Connect portal.

We are working with our provider partners to help them update all their application forms, and we can also assist with ongoing changes to personal information via our secure portal. We will be able share draft GDPR-compliant wording for application form declarations with providers as part of this.

It’s important to note that higher education institutions are still the ‘data controllers’ under GDPR legislation, and responsible for any agreement with prospective and current students about their privacy and consent. StudyLink Connect is the ‘data processor’, and we are also actively working to include European centres in our secure data-hosting network.

We’re also moving our agent partners to individual log-ins. Just as you should no longer share personal data with a generic email account, generic log-ins are a risk. Secure portals (like StudyLink Connect) may eliminate the risk of sending the wrong information to the wrong person, but only if you know who is accessing that data.

Higher education institutions are still the ‘data controllers’ under GDPR legislation, and responsible for any agreement with prospective and current students about their privacy and consent.

Connecting globally with trust and transparency

It’s a significant process of change, but an important one that goes deep into the best practice of managing personal information. And a great opportunity to thoroughly review every process, system and practice to put the individual’s data security and privacy first – no matter where in the world they come from – while also understanding the extent of the data we hold.

We also see it as way for institutions to build trust with employees, students and a wider network of stakeholders. And we are looking forward to working with our institutions and agent partners to reach new standards in data protection.

We're driven by your success

Find out how StudyLink can help increase conversion rates for your institution.