A scant three weeks before implementation on May 25, many colleges and universities are still coming to terms with the GDPR, the European Union’s data protection regulation, with considerably more teeth and reach than the previous Data Directive.
AACRAO conducted a survey in mid-April to find out where its members were with GDPR preparations. AACRAO received 400 responses to the survey. The respondents broke out in the following way:
60% private, non-profit institutions;
37% public institutions and
3% proprietary institutions.
Prior to opening the survey, nearly 20% were not aware of the EU GDPR. In other words, 72 of the 400 respondents had not encountered the news that GDPR was a month away from implementation. (It was interesting to see that of the 3% of proprietary institutions (12 respondents), 30% indicated that they had not heard of GDPR, but 100% indicated they were preparing for it.)
Of the institutions responding to the question: “Has your institution begun planning for GDPR?,” 25% indicated that they had not begun to plan.
Institutions' most pressing concern regarding the GDPR is the data subject’s Right to Erasure (often referred to as the Right to be forgotten). Of the respondents 60% indicated the Right to Erasure is their top concern. At the bottom end of concerns (10%) was breach notification and institutional reputation if non-compliant.
The survey results suggest that one area where there is an opportunity for growth is between controllers and processing partners. Processors are often vendors serving an institution. Based on the question, “Have your vendors communicated with your institution regarding whether they are GDPR compliant responses, the roles each of you have in the relationship, and identification of GDPR data subjects?”, only 5% of vendors have communicated with the institution.
The registrar’s office is the top administrative area represented on a GDPR compliance team. This may not be surprising considering that FERPA and other compliance areas often reside in the registrar and records office. The scope of the GDPR seems to be reflected in the range of administrative units represented on the team, from athletics to information technology to human resources and international programs.
May 25 is just around the corner. While few, if any, institutions think they will be compliant with the GDPR by then, most institutions are aware of it and discussing what it means for their institution.
AACRAO will release an inter-association guide on GDPR on May 15, 2018.