Laurens Vehmeijer Daniela Dandes

Transcription

1 GDPR and Student Recruitment Laurens Vehmeijer Daniela Dandes

2 Laurens Vehmeijer Who are we anyway? Analytics Consultant & Interim Data Protection Officer Background in Life Sciences Since 2015 data analytics & consulting in Higher Education (HE) Since late 2017 involved with GDPR Daniela Dandes Lead Intelligence writer Background in digital marketing and branding Since 2012 active in digital marketing Since early 2018 involved with GDPR

3 About Studyportals Our company Our role in student recruitment Agenda GDPR basics Background and introduction Core principles Definitions and roles Rights and obligations Our Goal? An introduction to Getting compliant Advised first steps Record of processing activities and risk assessment Consequences of non-compliance GDPR and what we think it means for In closing Advised first steps Key Takeaways student recruitment

4 About Studyportals

5

6 Studyportals at a Glance Introduction 8 Portals 28+ million unique 370,000 international 3, ,000 courses 195+ employees / users student enrolments (2017) participating in 120 countries 35 nationalities (2017) institutions Office Locations: Boston Bucharest Eindhoven (HQ) Manchester Melbourne Monterrey

7 Our place in funnel

8 GDPR basics

9 Goes into effect the 25 th of May 2018 Privacy protection regulations adopted in April 2016, replacing the GDPR General 1995 European privacy law Up until now has been a grace period Organisations should be compliant before that date Data Exact regulations appear strict but open to interpretation Lots of emphasis on compliance-minded culture and privacy by design Protection Applies to organisations that process EU personal data Located in the EU Activities in the EU Regulation Data Subjects located in the EU only organisations that do nothing in the EU and have no Data Subjects in the EU are exempt i.e. nobody

10 GDPR General Intention is to strengthen and harmonise EU data protection Data Universal (new) rights for natural persons Expanded and unified territorial application Expanded data governance obligations Protection The goal of GDPR is to curb bad actors Bullying SMEs or Higher Education Institutions (HEIs) is not the goal But, strictly speaking, serious violations could ruin any organisation Making a serious effort for compliance is taken into consideration! Regulation

11 Core principles Core Commandments of GDPR (Article 5) Personal data shall be: Used lawfully, fairly and transparently to Data Subject Exclusively for specific, explicit and legitimate purposes Adequate, relevant and minimised Kept accurate and up-to-date (where necessary) Retained no longer than necessary Protected with appropriate security measures

12 In layman s terms Nutshell Basically: People own data about themselves. Organisations don t own personal data They just borrow it for specific purposes, agreed upon with Subject Onus on them to inform, get consent, protect it and let Subjects exert control

13 Data Subject(s) Natural person to whom personal data relates Roles Students Employees Other contacts (prospective, current, alumni) (applicants, current, past) (agents, partners, vendors, etc.) Data Controller Determine(s) the purposes and the manners in which personal data is processed. The primary party responsible for compliance. Data Processors Process(es) data on behalf of the Data Controller. Processing is anything done to or with personal data, whether automated or not. Collect, use, record Retrieve, consult, disclose Anonymise, pseudonymise, delete

14 Personal data Personal data Any data that can be directly or indirectly related to a natural person (Data Subject) Identifiable personal data can connect personal data to a Data Subject Phone number Online pseudonym Account number Name Place & date of birth Gender Nationality Device ID IP address Address Citizen ID Browsing Cookie Passport number Behavioral data behavior Interests Career details

15 Sensitive Personal Data Effectively, the type of data that could be used to persecute someone Stricter rules apply to data that has been ruled sensitive Best to just avoid collecting/storing/using this data if it s not necessary Sexual life or orientation Health data Special personal data Religious or philosophical beliefs Political opinions Racial or ethnic origin Trade union membership Genetic data Criminal convictions or offences Anonymous Personal Data Data from which a Data Subject cannot be (reasonably) identified (i.e. no identifiers) GDPR does not apply Be careful enough personal data, even without identifiers, can identify a Data Subject Pseudonymous Personal Data Data from which a Data Subject is harder to identify without a key Can be anything from an Student number to secure encryption GDPR does apply but requirements are lower Pseudonymisation is encouraged by GDPR and is important part of privacy by design

16 Data Subject rights Data Subjects have the following rights Right to access personal data Right to edit personal data Right to move personal data between organisations Right to be forgotten upon request Right to restrict or to object (direct marketing) Right to transparency and refusal of automated decision making

17 Consent Consent is effectively a contract with Data Subject on the use of their personal data Unambiguous - clear affirmative action (opt-in) Freely given - must have genuine free choice Specific - for specific processing activities Informed - understood what processing they are agreeing to Withdrawable - at any point as easily withdrawn as given Explicit - for sensitive data, profiling or cross-border transfers

18 Which are you? Controller or Processor? (in which context) Data Controller Determines purpose and means of the collection and processing of data Examples: customers/clients and employers Joint Data Control is also possible Instructs Processor through Data Processing Agreement Bears the main responsibility and liability for compliance Including that of the Processor, unless covered in the Data Processing Agreement Data Processor Acts on behalf of the Controller Examples: cloud storage, IT providers, agents, payroll companies Instructed by Controller through Data Processing Agreement Less responsibility and liability under GDPR if they adhere to agreement HEIs in the context of student recruitment?

19 Appropriate measures for GDPR compliance Data Controller obligations Data Controllers Demonstrate compliance with documentation Allow Data Subjects to exercise rights within 30 days have the following Compliancy of Data Processors Written Data Processing Agreements Make Record of Processing Activities obligations Data Protection Impact Assessment if processing is high risk Cooperation with supervisory authorities Prior consultation of DPIA shows risk Breach notification in 72h Take appropriate data security measures Data Protection Officer if necessary

20 What is a Data Protection Officer? A DPO ensures awareness and compliance with GDPR Data Protection Officer Advises management & often a GDPR team leader A DPO is required for certain organisations Public authorities Larger than SME Core activities involve large-scale, regular and systematic monitoring Core activities involve sensitive personal data Organisations can also voluntarily appoint a DPO Same requirements for mandatory and voluntary DPOs If no DPO, document reasoning behind it Even if not mandatory, an informal DPO is advisable

21 DPO requirements DPO requirements DPO requirements: Expert knowledge of data protection law and practice No duties with conflicting interest Does not have to be an employee can also be outsourced or shared if easily accessible to all parties Formal DPOs must be registered to the Data Protection Authorities Everybody wants a DPO now, get an interim one

22 Getting compliant

23 The initial steps we advise First steps 1. Appoint & train a team I. Data Protection Officer II. Data ambassadors III. Management member IV. Legal advice 2. Data audit I. Record of Processing Activities II. Gap analysis & risk assessment III. Prioritise action items 3. Fix priorities I. Privacy statement(s) & consent II. Vendor contracts III. Protocols IV. Data Protection Impact Assessment if high risk V. Consolidate processing activities However, every HEI s situation is unique

24 Record of Processing Activities Data Controllers must make and maintain a record of all processing activities What data are you using? Of whom? For what purpose? Is that purpose legitimate? Who has access, internally and externally? Where is it transferred? Who is responsible, internally and externally? How is it protected? How long is it retained? Etc RPA The first and crucial step to become GDPR compliant Mandatory for compliancy Serves as a data map and basis for gap analysis Steps to be taken often follow logically Common conclusions include Update existing documentation: contracts, privacy statement, policies etc.. Consolidate data processing activities Draft internal policies on protection, retention, minimisation, data breach, Data Subject rights Culture change privacy by design and more oversight

25 Activity Website analytics Student recruitment through agencies Department(s) IT Student Recruitment GDPR ambassador (internal) Amy Bob Data Subject category Website visitors Prospective students Any Data Subjects under 16? Likely some No Personal data category IP address, device info, browsing behaviour Name, contact info, resume, academic record, agent notes Source of personal data Browser Voluntarily submitted by Data Subject to agency and to us by proxy Sensitive personal data None Ethnicity, because affirmative action may apply Purpose of processing Marketing information, website optimization, ROI Evaluation of applicants Legal basis for processing Consent (checkbox on popup overlay) Consent (hardcopy form signed by Data Subject) Data Processors Google Analytics, Hotjar, Microsoft cloud services Agencies, Microsoft cloud services, CRM system Any Processors outside of EU? No, all systems are hosted in EU data centres Agents are all over the world Data Processor agreement? Yes Partially (not all agents yet) Data storage Internal database, cloud storage Internal database, hardcopy file system, agent systems Data retention Indefinite Indefinite Can anything be minimized? Yes, data can be aggregated after one month. No Security measures Limited access, encryption of local systems Limited access, encryption of local systems Process data breach? Yes No Process Data Subject requests? Yes Partially. GDPR compliancy? Highly likely. No. Further notes Mostly standard digital marketing stuff. Likely low risk area Last edit 12-Mar Mar-18 High risk - limited oversight over agents globally. Further steps required. Example RPA

26 High Impact Data breach process Agent processing agreements Data hosted outside EU Data Subject right requests Lead form consent Privacy policy Risk/Impact matrix Backup and retention DPO appointment Review past consent Medium policies Impact Hardcopy document IP address collection on Huge vendor processing disposal website agreements (e.g. Google) Low Impact Low risk Medium risk High risk

27 NON-compliance & there s a problem? Non-compliance Even with virtually complete compliance, a mistake is easily made Hack, insecure backup, stolen laptop, virus, student list sent to wrong address If your Data Processor leaks personal data, you re to blame Good Data Processing Agreements can limit/prevent liability HEIs at risk Vulnerable Data Subjects (potentially minors) Often publicly funded Reliant on reputation, goodwill & trust Legal consequences Fines up to 20M EUR or 4% total yearly revenue Personal liability of top leadership Class-action suits by Data Subjects Reputation Public likely to freak out Risk of being tainted goods Public investigation may harm reputation (even if you re in the right)

28 In closing

29 The initial steps we advise First steps 1. Appoint & train a team I. Data Protection Officer II. Data ambassadors III. Management member IV. Legal advice 2. Data audit I. Record of Processing Activities II. Gap analysis & risk assessment III. Prioritise action items 3. Fix priorities I. Privacy statement(s) & consent II. Vendor contracts III. Protocols IV. Data Protection Impact Assessment if high risk V. Consolidate processing activities However, every HEI s situation is unique

30 Further tips Final notes Data transfer outside of EU may be problematic Demonstrate compliancy efforts Document everything! Get quick wins Compliancy culture Evaluate yourself using online tools Microsoft free self-assessment tool: Dutch free self-assessment tool: Get legal advice or hire expertise

31 Key Takeaways Takeaways Nobody knows what the practical reality will be Complete compliancy may not even be possible Everyone is uncertain Many think it won t be so draconian Insight into your use of personal data is a pretty good idea anyway Highlight weaknesses & cover liability Optimize data and third party service use May actually lead to innovation! Do take it seriously please!

32 Questions?

33 Unanswered questions?