GDPR, or The General Data Protection Regulation, is a European Union law regulating data protection and privacy for individuals in the EU and the European Economic Area (EEA).
It actually came into effect in April 2016, but with a two-year transition period that ended on May 25 of this year – which explains the sudden flurry of GDPR-related emails you may have seen in your inbox.
But the so-called “GDPR day” was not the end of it. In fact, it’s just the beginning. The first GDPR complaint came in less than an hour after the deadline, signaling the birth of an era in which GDPR compliance will be a fact of life for marketers and website owners. It will particularly affect those, such as university recruiters, who process large amounts of personal data.
From now on, businesses and institutions will need to maintain and update their privacy and data protection framework to ensure they remain GDPR-compliant. Your website users’ consent for you to process their data must now be explicit and informed, and this consent must be renewed if the way you use that data changes.
On a lighter note, if your head is already buzzing with all this information, you might want to turn to the meditation app Calm for relief. The app makers have added a relaxing reading of the 60,000-word directive to their library of Sleep Stories.
Are you back? Let’s look at the main issues you need to confront.
What GDPR means for consent
Institutions need students and potential students to give consent on what is being done with their data every step of the way.
If your school employs a third party to carry out an EU-targeted marketing campaign, it’s your responsibility to make sure the data they collect and the campaign they run is compliant. You need affirmative consent whenever you collect someone’s personal data.
GDPR is not just about getting permission to email them: you need advance consent if you track when they click through from those emails, or capture information about their identity, IP address, location, or the type of device they’re using. That means disclosing the kind of information you’re capturing and what you’re doing with it, and providing an option to opt-in.
And it truly must be an option. We are likely to witness legal action against website owners who offer an ‘opt-in or get out’ deal – users will need to be able to access your site even if they don’t want to tick that box.
Of course, any forms that you ask your prospective students to fill in should also be compliant with the new requirements. While the all-important opt-in box might seem like the most straightforward way to confirm user consent, GDPR rules allow for a total of six lawful bases for processing personal data. Make sure that you understand how and why you collect user data, and choose the type of consent that is right for your systems and services. Or better yet, look for a student recruitment and marketing specialist that has embedded GDPR compliance into its services.
The expanded definition of processing
Until now, collection, retention, deletion, breaches, and disclosures of personal data have largely been regulated under separate laws. GDPR counts all of these actions as ‘processing.'
If your organization has previously relied on FERPA-compliance to protect itself, you will find that GDPR is more thorough, covering the full lifecycle of the data you collect.
Privacy by default
GDPR is not just about formalizing good practice – it’s an attempt to sway the culture of big data in a more responsible direction. The overarching concept of Privacy by Default is that companies should no longer indiscriminately mine the data of their users. The emphasis now is on collecting information for a time-limited, specific use rather than as an asset or bank of data.
This is why systems should have default settings that are designed to protect privacy. It is now the (legal) expectation rather than an afterthought.
Why GDPR is good news for your database
Did you notice, when you were sorting through those GDPR emails in your inbox, there were some you just decided to ignore – because it would actually be a relief not to hear from the sender anymore?
It's symptomatic of a wider positive effect of GDPR: after years of aimless signing-up from consumers and data collection by organizations, the EU has hit the ‘reboot’ button on the way we engage with the internet.
Your institution can no longer count on great swathes of random data through which to sort in the processing of leads. But in place of that quantity, you can expect high-quality data from engaged prospects, about whom you learn just the information you need to develop the relationship.
GDPR compliance is hard work and a significant culture shift for sure. But those institutions that approach the regulations as an opportunity to rethink their inbound marketing strategy will find that it is a refreshing change after all.