The GDPR and Higher Ed Marketing & Recruitment
So what do the two have to do with each other? Let’s start with a simple example of a prospective student recruitment journey.
You engage an enrollment marketing partner to launch a marketing campaign including email, social media, print, etc. to focus on a specific region of the world. That marketing campaign results in traffic to your website (which you are dutifully tracking), some request for information (RFI) submissions, and maybe a few applications. Now you have information about prospects with varying degrees of interest:
- Click-throughs from your campaign to your website who didn’t convert. You know there’s some interest there, and ideally you know who these prospects are because you tracked them back from your email campaign. Your next step is to continue to cultivate the prospects through additional targeted communications across multiple channels.
- RFI submissions are submitted by some of your campaign’s targeted prospects. Here you have elevated interest, and more data captured through your RFI form, likely stored in a customer relationship management (CRM) system. You use this information to contact the prospect and drive the next steps in your enrollment communications process.
- Applications are completed by a few of your targeted prospects. You now have a significant amount of data from the prospect that you’re storing in your CRM or admissions platform. You then focus on turning this applicant into an enrolled student.
The theme here is that you’re collecting an increasing amount of personal information from prospects as they flow deeper into the enrollment funnel. The GDPR will necessitate some significant changes to how you collect, track, and use this data.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, is a far-reaching law designed to protect the privacy and security of European Union residents’ personal data. It restricts, among other things, how organizations collect, store, and use the personal information of their customers or prospective customers. Personal information as defined by the GDPR is broad, including the obvious like name, email address, and physical address, but it also encompasses things like location data, race/ethnic origin, gender, biometric characteristics, and more.
Some key provisions of the GDPR include:
- People about whom you are collecting data, referred to as data subjects, must have the ability to provide consent regarding the data that is being collected about them, and how that data will be used. You cannot use their data in any way that is inconsistent with the consent given.
- Organizations must document why people's information is being collected and/or processed, descriptions of information that's stored, how long it's being retained, and documentation of security measures in place.
- Personal data you store must be effectively protected and you are required to provide notification if the personal information you store has been subject to a data breach.
- You must have processes in place that allow data subjects to contact you to learn what information you are storing about them as well as to request that any data stored be permanently deleted; which is commonly referred to as the right to be forgotten.
There’s much more to the GDPR; the above is just a quick summary. You can visit the EU's official GDPR website if you want to learn more about the regulation itself.
Changing Your Process in a Post-GDPR World
Consent is a key cornerstone of the GDPR and affects you in several broad ways:
- If you are engaging a vendor to conduct a EU-targeted marketing campaign on your behalf, or to provide you with a list of prospects, it is your responsibility to ensure that the vendor has complied with the GDPR in compiling the list or executing a campaign.
- You must get affirmative consent from a prospect whenever you are collecting personal information throughout the enrollment funnel.
Some practical examples:
- Marketing campaign and website analytics tools have become increasing sophisticated, allowing the tracking of a prospect through email click-through to website visit, able to capture aspects of their identity, IP address and information about their location and device they’re using. That’s all protected information under GDPR guidelines. To legally track this information, you will now need to disclose to the prospect how you are tracking them, what information you are capturing/storing, and how you’re going to use that information. In addition, you need to provide a mechanism for the prospect to affirmatively agree/opt-in to the collection of this data.
- Consent requirements hold true as well when asking a prospect to fill out an RFI or an application. You must disclose how the information provided will be used (and you can’t legally use it for any purposes not disclosed) and provide an explicit opt-in for the use of that personal data.
- A generic message on your site that says something like “by using this website you agree to <insert lengthy paragraphs of legalese>” or an opt-in with a pre-selected checkbox will no longer suffice. You must provide the capability for a site visitor to explicitly opt-in (e.g. via a checkbox) to the data collection or tracking. Also, the consent and use information you provide cannot be buried in broader terms and conditions, it must be “unbundled” as the GPR refers to it.
Below is an example of these concepts. The opt-in to join the mailing list is not checked by default, and is separate, or unbundled, from the check box to agree to general terms & conditions. A description of how the prospect’s data will be used and protected as well as what means will be used to contact them is also provided.
Data Governance and Security
The GDPR requires organizations to document why people's personal information is being collected, how it’s used and stored, and how long it's being kept. That means you need to have written policies and procedures in place around these topics.
One aspect of the data governance process is being able to prove that you have received affirmative opt-in from the people whose personal information you’re storing. So, when someone opts-in you’ll want to capture and store a record of that, including a time stamp of when the opt-in occurred.
Data security has increased in importance with the litany of high profile breaches across various industries in recent years. The GDPR includes requirements that personal data be adequately secured. It doesn’t get into specific requirements, but the expectation is that industry best practices for data security are in place. If you experience a data breach, you will also need to notify EU regulators as well as affected persons.
Data retention is also something to consider. While the GDPR does not outline specifics, the guideline is to retain data no longer than necessary in relation to it’s purpose. For example, if you have data about a prospect submitted via an RFI, and that prospect has not applied or enrolled in a reasonable timeframe (and presumably enrolled elsewhere), you’ll need to have a policy in place for how long you’ll keep that prospect’s data and a procedure for ensuring it’s deleted when that retention period is up.
Individuals’ Rights to Access and Remove Personal Data
Under the GDRP, data subjects have specific rights to know what data you are storing about them and to request that you remove their personal data. Again, you’ll need to have a process in place, ideally automated, for someone to see what personal data you’re storing about them, with the option of opting-out, or deleting the personal data you are storing about them.
This data deletion requirement can get somewhat complicated for several reasons. First, with many email marketing platforms and CRMs, if someone unsubscribes, that action doesn’t necessarily delete their personal data from the platform, it just ensures they are excluded from future communications. The GDRP data deletion requirement specifies that personal data must be deleted entirely.
This all becomes more complicated if personal data is replicated to multiple systems, for example from your CRM to an email or marketing automation platform, or exported to a spreadsheet for analysis or reporting. Data removal ties back into governance. You’ll need to have policies in place to control where personal data is distributed, so that you can then delete data if requested or once the retention period you set expires.
So, what happens if you violate the GDPR and are assessed penalties by EU authorities? Well, those penalties can vary widely based on several factors, including:
- The nature and seriousness of the violation (e.g., how many people were impacted and what type of data was affected)
- Whether the violation was intentional or a matter of negligence
- What the organization did, if anything, to mitigate or correct the issue
- The organization’s history of GDPR violations
“Administrative fines may, depending on the infringed provision of the General Data Protection Regulation (GDPR), amount to a maximum of EUR 20 million ($23 million), or, if this is a higher amount, 4% of the total worldwide annual turnover (revenue) of an organization.” Source: Lexology
The maximum fine is the greater of 20 million Euro (about 23 million US Dollars) or 4% of the violator’s global annual turnover (revenue). What’s unclear at this point is how those fines would be assessed on a non-profit higher ed institution.
Practical Implications of GDPR
You may ask how likely it is that you will have to deal with the GDPR? How likely is it that one of your prospective EU students will ask to know what you’re storing about them, or ask to opt out of being marketed to, or ask you to purge all data you hold about them?
That all depends on how focused you are on EU-based prospects. If you’re actively recruiting EU students, you absolutely need to focus on compliance with the GDPR. The penalties for violations are too significant to ignore. Same situation if you offer online education programs and have a significant number of EU-based students. If you are not focused on recruiting in the EU, but a few students from EU member nations apply and enroll on occasion, your likelihood of running afoul of the GDPR is significantly lower, but you technically still need to comply.
One thing to keep in mind when implementing process changes to comply with GDPR is to not lose prospects or create barriers for them along the way. The increased affirmative opt-in requirements can result in prospect drop off. Creating a compelling customer experience through your online channels, while still complying with the GDPR, is critical to offsetting any negative impact from the increased opt-in and disclosure requirements. Contact me to learn more.Please note that this post is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine how the GDPR might apply to your specific organization.