The Future of Privacy Forum released a fantastic report in May 2020 entitled, “The General Data Protection Regulation: Analysis and Guidance for U.S. Higher Education Institutions.” As someone who has worked in U.S. university research management for over 25 years, this document was a welcomed addition covering a big sector of the U.S. economy. The author, Dr. Gabriela Zanfir – Fortuna, did an excellent job with this piece.
For those privacy professionals who work in U.S. higher education institutions, the most common university functions covered by the GDPR include: 1) The admission and enrollment of students; 2) Students studying abroad in formalized programs (for instance, “Semester Abroad” programs); 3) American universities having physical campuses outside the U.S.; 4) Online classes; 5) Alumni; and 6) Vendors.
Another area at many universities – research / grants & contracts – is not given extensive separate treatment but mention is made of the “Archiving, Scientific, and Historical Research” exception against the processing of special categories of personal data (p. 9). Research agreements requiring many students’ personal data is discussed on pp. 17 – 18.
In terms of legitimate grounds most likely applicable to U.S. universities outside the EU as controllers, the author notes these: 1) Consent; 2) Contractual Necessity (entry or performance); 3) Legitimate Interests; and 4) A Vital Interest of the Data Subject or of Someone Else (p. 18).
Whether you are new to the privacy realm or to higher education more generally, this report is a handy useful guide for technical and context reasons.