It has been all over the news (and likely all over your inbox) – the new General Data Protection Regulations are coming into effect this week on May 25th. Are your data systems ready? Are you?
One last shameless plug, if you're going to be at NAFSA next week, let us know! We would love to meet you. Our session with Monmouth and Temple Universities on building internal alignment for international recruiting is on Wednesday at 1 pm. We promise a good show with real learning. Connect with us at firstname.lastname@example.org.
Now, a high level review of what we should all understand about the GDPR and your role in protecting prospective students' data. We look at the regulations and the consent processes in a positive way: This is a form of pre-screening your inquiry list. A far greater percentage of the leads you capture will have a high level of interest in your institution.
Read on to find out why...
Disclaimer: This is not meant to be a one-stop-shop for all things GDPR or function as legal guidance. This post acts as an introduction for international student recruitment professionals who want to learn more about the basics of the new GDPR regulations.
Here at Intead, we use the HubSpot CRM and (as you may know by now) we are endless promoters of their system and the consistently great customer service they provide. We are in the process of making a series of changes to ensure that your data is safe and secure with your full knowledge and consent – whether you live in the EU or the US.
We are proud to say that HubSpot has been a strong partner throughout this process, releasing a series of new tools to help us ensure GDPR compliance and making our lives easier, although not entirely stress-free.
Discussions around the GDPR have been complicated, time consuming and even nerve-wracking across our industry. We invite you to take a minute and step back and look at the GDPR as an opportunity to treat your prospective students' data with a new level of respect. At the end of the day, when you treat your prospective students well, they are more likely to respect your institution and ultimately enroll.
Some research has suggested that 1 in 3 companies will not be ready for GDPR in time. Not a surprise given what it entails. Let's examine a few regulatory highlights that might help you think about your own data protection regulations in the context of your prospective students:
Affirmative Consent with Notice
To deliver marketing materials to prospective students in the EU, input their email address into your workflows, call or otherwise connect with them, they must actively give their consent to be contacted for one specific purpose. This doesn't mean a pre-filled check-box. It means they must click a box or select an option to actively give you permission, on behalf of your institution, to call or otherwise connect with them.
Don't get scared though – just make sure this consent is part of your initial lead collection form on your landing pages or any other inquiry capture system you have. If you are meeting students in-person 1:1 or at events, you may need to collect double-consent – meaning although you received permission in-person, you may want to send a follow-up email that says "Please confirm your request for information." Of course, this all depends on your institution's unique approach to the regulations. If you're a one person shop trying to handle GDPR yourself – this might be a good step to take.
And remember, the reason for data collection must be clearly and unambiguously communicated at the time consent is given. Be clear about your exact intentions and follow through. No more, no less.
If the prospect is interested in your institution, consent shouldn't be a problem. If they are not, you just saved yourself some trouble and are keeping your lead list much cleaner.
We all know that technology can be a daunting challenge when it comes to data protection.
Cookies that track behavior and other data about your leads are not necessarily something your prospective students always anticipate. So, you have to tell them and receive their consent. Most often this appears as a pop-up (you've seen those notifications that don't disappear until you click "I Agree") and now the language must be specific to the GDPR regulations and require affirmative consent.
Again, if they are not interested in your institution and they don't give consent, you really didn't want them in your database anyway.
Access and Modification of Personal Data
The whole concept behind the GDPR is to give EU citizens greater control over their personal data. This means giving your leads the ability to access and modify their data at any time. You must have the ability to export their data history and deliver it to them in an accessible digital format upon request at any time.
You must also be able to accomodate requests to change or alter personal data upon request. You should ensure that you know how to access and edit this data to prevent any potential hold-ups in completing a request.
Right to Opt-Out
It should be just as as easy for a prospective student to opt-out as it was to opt-in. This is a crucial point under the GDPR. Leads must be able to choose to opt-out of all contact at any time and for any reason, with just the touch of a button. You should be able to show prospective students all of the email streams, call lists, etc., to which they are subscribed so that they may alter one or more uses of their data.
Think about it. Have you ever received many emails from a company and wanted to continue receiving some but not all of their communications? It should be that easy for your prospective students to alter their communication settings – without losing touch completely, unless they want to. As we mentioned earlier, a complete opt-out option should always be within easy reach, i.e., that "unsubscribe" link at the bottom of emails.
Right to Erasure
Just as they have the right to opt-out of contact, a prospective student also has the right to total deletion from your database. You should know how to completely and permanently remove a lead and their full activity log from your database and be prepared to do so upon request.
There are many new security measures coming into play under the GDPR – far more than we can cover comprehensively here, from encryption at rest and in transit to access controls to data pseudonymization and anonymization. And, let's be entirely honest: we hope that if you're in charge of data security, you aren't reading our blog to figure it out three days before the deadline.
For the rest of us, the more we learn now, the easier it will be to respond quickly when a request arises. You can learn more about self-certification for your institution and GDPR regulations here: https://www.eugdpr.org/
We are SO hoping you have not dosed off at this point. We've shared the crux of the new regulations. Your legal counsel and IT folks are likely on top of this and should act as a great source of information. Inevitably, this will be in the news in the months/years ahead. We'll be watching and you can count on us to flag anything that we think you and those in enrollment marketing functions should be aware of.
Share your GDPR stories with us in the comments.