Business schools are scrambling to reshape their data-sharing policies to comply with GDPR—which could hamper their ability to market their programs, and their students to employers. Schools also fear reputational damage of data-handling failures.
GDPR is an EU-wide set of rules that cover requirements to notify regulators about data breaches, and transparency for users about what data is being collected, used and why. GDPR comes into force on May 25th.
The biggest change will be moving away from the use of consent as the default for processing personal data—held on applicants, students and alumni whom business schools communicate with, and market to, on a regular basis.
Schools will now need to obtain consent before using personal data or sharing it with any third parties such as recruitment firms.
That last point has stirred angst amongst careers teams because it may now be more difficult for them to send information that could help their students get hired, such as CV books, to recruiters.
But perhaps the thing business schools are most concerned about is the risk of reputational damage. GDPR imposes harsher penalties on data breaches and leaks than the current data regime—up to a maximum of £18 million.
Aside from the cash cost of a data-handling -failure, business schools are concerned that, at a time when consumers are more conscious than ever before about how their personal data are handled, a miss-hap could damage their reputations. Stanford Graduate School of Business was criticised last year, when a data breach revealed a decade of financial aid information, including students' income.
Mark Bramwell, chief information officer at the Saïd Business School at University of Oxford, said: “You see on the front page of the newspaper every week, stories around leakage, breaches and use of personal data, whether Facebook and Cambridge Analytica or Talk Talk last year or Carphone Warehouse.
“The reputational damage of being seen not to appropriately manage data is significant and we would prefer, clearly, for that not to be Oxford.”
Many business schools are taking steps to ensure that their data-handling policies are GDPR-compliant, and to sure-up security processes.
Saïd, for example, has launched an email marketing campaign to obtain consent from the owners of the data it holds, to use that data.
In addition, the business school has invested in Salesforce, the CRM platform, which makes it easier to be GDPR-compliant because it stores all customers’ contact information in a single place.
And in a further move, Saïd has been offering encrypted USB sticks to staff and students as part of a new information security, data storage and retention regime. “It’s not rocket science, it’s more about raising general awareness,” said Mark.
ESMT Berlin in Germany has hired a compliance consultant from PwC to advise the business school on GDPR-compliance, said Marcel Kalis, head of career services.
“GDPR brings a lot of administration and bureaucracy, but we have analysed our processes to make sure we are compliant and changed what we had to change,” he said. For example, ESMT has removed some personal data that it does not need to hold, rather than obtain consent from its owners.
Marcel added that GDPR could impact business school hiring—if recruitment firms fail to comply with the new rules. “They cannot just send CVs to an employer without the permission of the owner of the resume. If a firm is going to propose a person for a certain job, they have to ask that person now.
“[At the same time], firms can easily work with that new regime. Germany already has a strong focus on data protection. If companies get their processes in order, I don’t believe there is much to worry about.”