GDPR: what mobility advisors need to know

GDPR: what mobility advisors need to know

Being a mobility advisor, you deal with a lot of data. As such, a lot changed for you when the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. However, what does this big change entail and what effect will it have on your role within your higher education institution? This blog post covers some basic questions you might have about GDPR and offers a simple explanation of what you can expect.

What is GDPR?

As you may already be aware, the biggest change resulting from the GDPR has to do with the fact that institutions will be held more accountable for the data they collect, hold, and use when it comes to individuals. Natural persons (referred to as data subjects in the GDPR) will now have ownership over any data that can be traced back to them. The new legislation also extends to personal data that was collected before 25 May 2018, making it retroactive in nature.

As part of this data ownership, data subjects are granted a number of rights, including the right to access, edit, move, delete and restrict the use of their personal data, as well as the right to refuse automated decision making. Additionally, data subjects must be made aware of all relevant processing activities and their rights at the moment of data collection (eg as part of a privacy statement). This is especially important if the legal basis of data processing is consent, which must be informed, freely given, unambiguous, withdrawable and specific to each processing activity.

In short, GDPR requires a documented understanding of why and how information is collected, stored, and used, when it is deleted or otherwise made unidentifiable (ie anonymised or aggregated), and who has access to it.

Types of data

To understand all of this, we need to know what type of data we are dealing with. As mentioned before, personal data includes all data relating to an identifiable natural person. Some personal data is inherently identifiable (eg name or address), while other data is only identifiable within context or deeper analysis (such as finding an overlap between gender, postal code and job title). GDPR concerns all data that can reasonably be tracked back to a data subject. Within personal data, there are three categories that warrant further explanation.

  1. Sensitive personal data, also known as ‘special categories’, is essentially data that could be used to persecute someone. This includes genetic data, biometric data, health information, racial or ethnic information, religious or political beliefs and more. There are very strict rules on this type of data, and it is advisable to avoid collecting, storing or using it.
  2. Anonymous personal data is data for which a data subject cannot be reasonably identified. In other words, your organisation does not have the capabilities (technological or otherwise) to trace this data back to a natural person. GDPR does not apply to this type of data, but it is still wise to be careful, because large quantities of personal data could theoretically still identify a person (eg the aforementioned overlapping data).
  3. Pseudonymous personal data is data for which the identifiable data (eg name and contact details) has been metaphorically ‘locked’, for example through encryption or use of a subject number (likely a student ID in your case), and can only be ‘unlocked’ with a specific key (eg an encryption key or a file with student ID linked to the identifiable information). As long as the key and the non-identifiable personal data (eg gender, age, nationality) is kept separate, it is very hard to identify the data subjects. While GDPR does still apply to this kind of data, the regulation explicitly encourages pseudonymisation, which can relax your obligations under the law.

Data processor or controller?

Understandably you, as a mobility advisor, may not know which type(s) of personal data you are dealing with or what consequences GDPR has for your role. What you do know is that you use the data you are presented with. Within GDPR, you are likely classified as a data processor. This means that you are acting on behalf of another party, a data controller, who instructs you why and how to use the data. As long as you stick to the rules that the data controller lays out in the Data Processing Agreement between the two of you, the data controller bears the main responsibility and liability for compliance.

It is important to note that whether you are a data processor or a data controller may vary from processing activity to processing activity. For example, a payroll company is a data processor to the clients whose payroll activities it handles (since the clients instruct the payroll company through vendor contracts), but is a data controller for its own employee data.

Data protection officer

Some organisations are obliged to appoint a data protection officer. This is a position that advises and assists the organisation on compliance. They are likely the key in obtaining the knowledge of GDPR that you need, so find out who is responsible for GDPR in your institution!

Finding your data protection officer will reassure you that your institution’s data protection strategy is overseen and that it is compliant with GDPR requirements. This person will need to translate the data protection strategy to all layers of your institution and will create several opportunities for you to learn what implications GDPR will have for your line of work. Most importantly, you will acknowledge what you need to do with the data you are confronted with.

One of the most important tasks of a data protection officer is to make a record of processing activities, which documents all the processing activities in the organisation, as well as their purpose, legal basis, data subjects, recipients and more. It is likely the first and most crucial step for the compliance process and it is likely that you, as a mobility advisor, will need to contribute to this record.

Documentation

GDPR puts a lot of emphasis on effort. Even if you fail to be fully compliant, being able to demonstrate that you made a serious effort is very much taken into account. Aside from the aforementioned record of processing activities, it is highly advisable to document your efforts, results, the consent that the data subjects gave you and the data processing agreements you have with other parties. If you get into trouble, being able to prove that you did everything you could is crucial.

A lot has been written about GDPR and it has made us feel that it will be global concern. However, knowing who to turn to and understanding what this new regulation is all about will ensure the data of our (future) students is kept safe and dealt with in a respectable way.

Frequently asked questions

Q: Certainly in the area of student mobility, we exchange a lot of data. Not only student data, but also data about our application procedure and whom to contact in the International Office. Are we allowed to use the data of our colleagues at the partner institutions to send out bulk e-mails with our application information for student exchange or information on Summer School programmes?

A: GDPR applies to all ‘non-household’ activities – effectively everything that an organisation does with personal data falls under it. GDPR definitely applies to this case, and it’s important your partners are compliant. That being said, we would assess that this is one of the less problematic areas. There is legitimate interest and you need to exercise your legal obligations.

Q: When universities have selected their students to go on exchange, they nominate the students at the partner university. This usually includes first and last name, e-mail, date of birth, and gender. Is this still possible under GDPR?

A: Yes, but get explicit, informed and specific consent from each data subject and set up procedures that allow subjects to exercise their data subject rights. It is still advisable to avoid using any kind of sensitive personal data and to get explicit consent to transfer data to non-EU countries.

Disclaimer: we are not attorneys. These insights are based on our experience and views on GDPR. Please consult legal professionals if you need conclusive answers to your question(s).

Virginia van der Ster
NHTV Breda University of Applied Sciences, the Netherlands

Laurens Vehmeijer
StudyPortals, the Netherlands

Daniela Dandes
StudyPortals, the Netherlands