The General Data Protection Regulation (GDPR) has huge implications for all industries, including education. Introduced in 2016, this sweeping legislation has redefined data-privacy expectations and placed unprecedented obligations on all organizations that are based or do business in the EU.
For academic institutions in the EU, GDPR compliance is critical to avoid severe fines. For institutions in other regions, familiarity with this law is still important, as it is being used as a model for similar privacy legislation all over the world.
Unfortunately, GDPR compliance can be complicated for colleges and universities, including their IT and software-licensing staff. This is true in many ways due to many of the law’s clauses. However, when it comes to the specific matter of how schools provide access to cloud-based software, there is one aspect of the GDPR in particular that can create serious complexity—and risk—for academic institutions.
Is your institution offering cloud software in a GDPR-compliant way? To be sure, let’s look at what may be the biggest pitfall the GDPR creates for IT and licensing staff in education.
The Challenges of Cloud Licensing
Anyone who manages licenses and user accounts for cloud software at an academic institution can confirm that it isn’t easy. Every user must have their access provisioned when they become eligible and deprovisioned when they lose their eligibility. Since large institutions often contain thousands of users per product, and because eligibility can change with every new enrollment, graduation, or course transfer, this can add up to a staggering amount of work.
To make this task manageable, many cloud products offer organizations the ability to create accounts in bulk by uploading entire databases of user data to the cloud. Since this eliminates the hassle of creating and deactivating accounts manually, on a by-user basis, it’s an elegant workaround—on paper.
There are two problems with this approach, however. First, it was designed with private enterprise in mind, not for education, where eligibility to use software varies by course-load and is constantly changing. Second—and more importantly—these bulk-import tools were not created with the GDPR in mind.
The GDPR and the Importance of Consent
One of the core tenets of the GDPR is that people’s private data cannot be collected or shared without their consent. This consent must be demonstrable, freely given, and informed.
With that in mind, it’s not hard to see why the time-saving tools described earlier conflict with the GDPR. Creating large numbers of accounts for cloud software in that fashion essentially involves bulk-sharing potentially thousands of people’s personally identifiable information (PII) without obtaining their consent or even informing them that it’s happening.
This is a clear violation of the GDPR. For schools in the EU, this can result in extremely high fines. However, as established, the most obvious alternative—to manually create and deprovision user accounts one by one—is a borderline-unmanageable amount of back-end work for staff at many large colleges and universities. So what are IT and licensing staff at these institutions to do?
GDPR Compliance Simplified
All of this may seem to put schools between a rock and a hard place—defy the GDPR or invest countless staff hours into manually managing user accounts in the cloud. The good news is that there are ways to safely navigate between these two unacceptable options.
As is often the case in IT, the key is to automate and offload as many required processes as possible. Rather than provisioning entire departments or campuses in bulk or doing it on a user-by-user basis, empower eligible students to self-serve access to the software. Bake consent into this process—if a student wants to create an Adobe Creative Cloud account online, agreeing to have their data shared with Adobe should be a required step. Be sure to make it clear what information will be shared, and ensure that each user’s agreement is logged. This will satisfy the GDPR’s requirements that consent be informed and demonstrable.
The GDPR is a massive piece of legislation with many articles that affect higher-ed institutions. But a setting up a solution like the one described above can get IT and licensing staff around the biggest GDPR-related hurdle to providing access to cloud software.
Related Articles
Vidar Malware Uses Microsoft Help Files to Launch Attacks
Zooming In and Zoning Out: Combat Zoom Fatigue in Education
Future of Higher Ed: Chatbots for Improved Student Retention