Is the EU GDPR Your Next Business Enabler?

More likely than not, your institution could be doing more to protect your most sensitive data. Research from The Tambellini Group indicates that data security maturity in higher education is still lagging. Encryption, database activity monitoring, and robust, automated access management are rarely seen. Some institutions still do not have a business continuity and disaster recovery plan in place. Institutions know these controls are important but are struggling to get resources (both people and funding) to tackle the problem.

"I take an ecumenical approach to get security investments. I keep the compliance hammer tucked away until I really have to break glass," says Michael Corn, CISO at the University of California, San Diego. Enter the hammer: the EU General Data Protection Regulation (GDPR).

The EU GDPR is challenging organizations to take a hard look at their data processing and data security policies and technologies. The Tambellini Group has authored a comprehensive report on GDPR compliance as it pertains to US higher education institutions (the executive summary is publicly available to download). Compliance with the GDPR will require extensive planning, including a robust data protection plan. The fines for noncompliance are extensive: up to 20 million Euros or 4% of annual global turnover (revenues), whichever is higher. Most institutions are struggling with where to start, and it doesn't help that compliance has traditionally been viewed as a "checkbox" with little relationship to real cybersecurity measures.

Let's look more closely at the EU GDPR and how you can use it to build a business case for cybersecurity investments on campus.

Four Scenarios

If one of these scenarios fits your institution, you may have a unique opportunity to request funding for data security projects that have gone ignored. The GDPR's large fines for noncompliance may considerably raise the "financial burden" bar for institutions with:

1. Lecturers or academic staff visiting European institutions (personal data, while inside the EU, are covered by the GDPR)
2. Students in Europe who are considering a US academic course
3. European students in the United States
4. Academic research based on personal data belonging to individuals in the EU

Examples of These Scenarios in Practice

A French student, Pierre, prepares to matriculate.

• Before arriving at his university in Ohio, Pierre has to submit medical records (partly to comply with state laws, and partly to obtain local health insurance).
• Pierre can only transfer the records to the United States if the U.S. institution can document that it will comply with the GDPR.
• The U.S. institution must meet the requirement of legally enforceable obligations that are adequate ("essentially equivalent") to the GDPR, i.e., demonstrate how the data are kept and used, especially in adherence to the data processing principles.

Professor Jane goes on sabbatical in Finland.

• While on sabbatical, Professor Jane continues to supervise her PhD students at her US home institution.
• She also corresponds via email with the department and university administration regarding pay, forthcoming class schedules, committee activities, etc.
• While in Finland, all personal data Jane sends back to her home institution fall under the GDPR. Thus, in order to receive it, the institution has to show that it complies.
• While in Finland, Jane must also treat the personal data of her PhD students in accordance with the GDPR.
• The knock-on effect may also be that Jane has to ensure that the institution complies with the GDPR when it comes to treating student data if she sends data back to the United States while in Finland.
• The institution may also have to comply when she returns to the United States and takes her students' data with her upon her return.

Seven Ways to Leverage GDPR as a Business Enabler

How do you turn these scenarios into funding for critical security projects? Consider these seven business enablement activities.

1. Map out the circumstances under which your institution needs to be GDPR compliant.
2. Determine who the stakeholders are in each of those scenarios. Does the head of institutional research have data that fall under GDPR? What about the VP of human resources or the director of admissions?
3. Devise a data protection plan that takes into consideration the circumstances identified in step one. Consider including an encryption strategy. If your sensitive data are encrypted at rest using strong encryption techniques, you also cover a lot of bases with the United States data privacy laws.
4. Overlay the business owners/stakeholders you've identified with your data protection plan to demonstrate that GDPR is a business issue, not an IT issue.
5. Create a committee of stakeholders who hold GDPR data and demonstrate where/how their data fall under GDPR. Discuss the financial implications to the institution.
6. Determine ownership and oversight of your data protection plan, including stakeholders from the institution. Have stakeholders incorporate GDPR into new application decisions, like CRM and identity and access management.
7. Present your new data protection and stakeholder committee plan to the CFO. Show concrete actions and associated outcomes to request funding, along with potential impacts to the institution (aka fines) if no action is taken.

Note: This is a thought piece and is not intended as legal advice; Katelyn Ilkani and The Tambellini Group shall accept no responsibility for any errors, omissions, or misleading statements, or for any loss which may arise from reliance on materials herein. The ideas contained herein do not replace the necessity to seek out your own legal counsel on GDPR.

---

Katelyn Ilkani is the Vice President of Client Services and Cybersecurity Research at The Tambellini Group.