Skip to Main Content

A personal data primer: How higher education institutions can prepare for the GDPR


On May 25, 2018, a European Union (EU) law called the General Data Protection Regulation (GDPR) went into effect. This law affects private and public organizations that collect, process, manage, and store the personal information of EU citizens. Therefore, the GDPR may affect higher education institutions in the United States.

The deadline to comply with the GDPR was
May 25, 2018.

What is the GDPR?

The GDPR is a law that protects the personal information of all EU citizens, regardless of where their personal information is located and stored. The GDPR aims to give EU citizens greater protection and control of their personal information. Regulation coverage extends to all organizations—whether or not they have physical EU footprints—that control or process the personal information of EU citizens.

How does the GDPR define “personal information”?

The GDPR’s definition of “personal information” is more expansive than most U.S. definitions. Under the GDPR, “personal information” includes a person’s name, title, address, and other basic identifying information—along with information about the person’s health, finances, race, ethnicity, and sexual orientation.

What higher education institutions must comply with the GDPR?

Higher education institutions must comply with the GDPR if they:

  • Have students from the EU
  • Have a physical presence in the EU, such as a campus
  • Offer semester-abroad programs in the EU
  • Accept Euros for any type of payment (tuition, fees, etc.)
  • Receive EU-initiated applications from EU citizens
  • Transmit personal information to EU institutions

How will the GDPR affect higher education institutions?

In general, higher education institutions need to carefully consider where and how they store personal data, and work to ensure third-party vendors also comply with GDPR.

Specifically, higher education institutions will need to follow a number of data privacy and data security requirements, such as:

  • Ensuring data security practices are in place
  • Implementing privacy restrictions and personal data usage policies
  • Developing a personal data consent collection process
  • Identifying a data protection officer (DPO)
  • Implementing appropriate measures to protect personal data
  • Adhering to the GDPR breach notification processes

According to a source at the U.S. Department of Education (DOE), complying with GDPR should not be an IT initiative, but rather an organizational initiative that requires the commitment of institutional leadership to prioritize resources, policies, and processes.

How will the GDPR benefit higher education institutions?

As a result of the GDPR, students will have more control over their personal data. Not only will they have access to their personal information with them, but students will also have the right to be forgotten. Essentially, the student will have the right to have their personal data erased from the institution’s system if any one of several conditions apply, such as data is no longer necessary or data has been unlawfully processed, for example.

What happens if my institution doesn’t comply with the GDPR?

For-profit organizations can be fined up to $24 million, or 4% of global revenue (whichever is greater), for GDPR violations. It is uncertain how nonprofit organizations, such as higher education institutions, will be fined.

How enforceable is the GDPR?

The current information about GDPR enforcement and fines relates primarily to for-profit organizations. However, it is likely that the GDPR will be enforced for U.S. higher education institutions that collect, process, manage, or store the personal information of EU citizens—either by having a physical campus in the EU, or by allowing EU students to attend classes in the United States. EU data protection authorities will likely follow international law in administering and collecting fines for any GDPR violations. The same DOE source states, “GDPR enforcement will be more about litigation, than legislation.” While fines for for-profit organizations may be higher than fines than non-profit, an organization’s reputation may be negatively damaged for lacking strong data security controls.

If the GDPR is enforced for U.S. higher education institutions, the potential fines for noncompliance are significant and not worth the risk. In most cases, institutions will be unable to afford the fines.

How can I ensure my higher education institution complies with the GDPR?

Our 10-step check list provides a good overview of actions to becoming GDPR compliant. A next step is to develop a road map for mitigating any risks.

What’s next?

The GDPR is in effect now. It has a broad reach and significant financial implications for noncompliance for all organizations that collect, process, manage, and store EU citizen data. The specifics of the GDPR are likely to require significant internal assessments and changes to current policies and controls. 

BerryDunn’s higher education team has been focused on advising college and universities, and providing overall value for the last 44 years. BerryDunn is well qualified to assist higher education clients in understanding the GDPR landscape, assessing their compliance risk, and developing mitigation strategies.

If your institution needs help understanding the GDPR, conducting an audit and gap analysis, or developing a road map for addressing risks, please contact BerryDunn.

CNET (2018). What the GDPR means for Facebook, the EU and you.

Educause (2017). GDPR: A Data Regulation to Watch.

European Commission (2018).

Trustarc (2018). Essential Guide to the GDPR. 

Related Industries

Related Professionals


BerryDunn experts and consultants