EU data regulation to affect U.S. colleges and universities

U.S. organizations, including colleges and universities, could receive fines totaling up to $25 million each or 4 percent of annual revenue for failing to comply with a new European Union regulation that goes into effect May 25, according to the Information Commissioner’s office in the U.K.

Advancement and admissions offices will be impacted the most.

The General Data Protection Regulation impacts organizations worldwide that process data relating to EU citizens and permanent residents to protect them from privacy and data breaches.

Online exclusive: Compliance case study: Indiana University Bloomington

Additionally, institutions must receive consent from EU constituents before communication begins—especially by email.

To comply, institutions must be aware of the data they’re holding, where it’s stored and how it’s used. Besides reporting any data breach, organizations must be prepared to retrieve, correct or erase data when requested.

In higher ed, this applies to colleges receiving donations and student application fees from countries such as France and Germany. Even e-newsletters sent to alumni living in the EU are subject to scrutiny by individual EU member states and entities within the European Commission.

Systemwide effort

Institutions may need to modify their business processes to comply, and, for that, they should seek counsel from their legal officers, says Julia Funaki, associate director of the American Association of Collegiate Registrars and Admissions Officers.

“It’s not a one-office issue, so there needs to be a systemwide discussion about what [colleges] have to do, how they can do it and where they might need to make adjustments.”

That includes updating privacy notices to note what schools use data for and why they need to do so using clear, concise language, says Brian Flahaven, senior director of advocacy at the Council for Advancement and Support of Education.

“The location of these notices is up to the institution,” he says. “The point is that they need to update them and get them in front of their constituents, most likely via email, the web or both.”

Notices also need to explain how processing the data won’t harm individuals. “Colleges have to ensure that the people they communicate with are being treated fairly and that they’re not holding data they don’t need,” says Flahaven.

Push for transparency

EU enforcement will most likely target larger companies, such as Google and Amazon, instead of colleges. However, institutions should still show due diligence and make a concerted effort to comply.

“The idea is to allow data processing to continue but to make it as minimally invasive and as transparent as possible,” Flahaven says. For more information on the regulation, visit

Most Popular