In preparation for Europe’s new General Data Protection Regulation (GDPR) we’ve been meeting with many universities about preparing for GDPR. We’ve compiled the most frequent questions here for your convenience!
You can also learn more about GDPR and what it is at our blog post here.
How should institutions be determining who is an EU GDPR Subject?
GDPR covers activities that occur “within” the EU, so a conservative interpretation may identify GDPR data subjects as EU residents or EU citizens. Some institutions we’ve talked to are using the on-file address for students to determine who is residing in or a citizen of the EU to determine GDPR subject status - but you should check with your legal counsel to determine what is appropriate for your institution.
How do I update my student sync to specify which students are EU GDPR data subjects?
You can find our technical documentation for the student sync here: https://documentation.joinhandshake.co.uk/docs/uk-student-data-file-specifications. Whether you are using the API directly, or the CSV upload option, it’s as easy as adding the new field ‘eu_gdpr_subject’ and specifying “TRUE” or “FALSE”. If you are not specifying this field in your sync we’ll send reminders after each sync to the point of contact you have configured for your student sync.
If you're having technical trouble with your sync, you can contact our technical support team by submitting a ticket here: https://support.joinhandshake.com/hc/en-gb/requests/new . If you have other questions around GDPR you can email us at firstname.lastname@example.org.
You can learn more about student syncs here https://support.joinhandshake.com/hc/en-gb/articles/233086688
I’m not sure how my student sync works / I’ve never used the importer.
Generally during your implementation there was likely a member of IT from your institution assigned that worked with your office. They should be able to easily update their script or system to include this field. I would recommend finding who that internal point of contact is first.
If you no longer have a person who has done this before, here are a few resources to get you started:
Lastly, you can contact our technical support team by visiting this link https://support.joinhandshake.com/hc/en-gb/requests/new?ticket_form_id=716207 and choosing as your category “Technical Support -> I need help with my student sync”
What if I don't import eu_gdpr_subject status, and students don't select 'Yes' or 'No'?
By default, eu_gdpr_subject is set to 'null' (or 'No') for all students in Handshake, which is also signified by passing 'False' for this field in your imports. If you are not updating this status, we will assume that none of your students are GDPR subjects.
NOTE: We provide all students the same rights under GDPR regardless of subject status.
What is a Data Processing Agreement (DPA), and how do I ensure Handshake and my institution have one?
A Data Processing Agreement is an agreement a Controller must have with a Processor they transmit data to that is subject to GDPR. What that means is if you as a University (Controller) will be processing personal data for students who are protected under GDPR, then you must have a GDPR-compliant Data Processing Agreement with Handshake (Processor) and any other vendors who process or store student data on your behalf. GDPR requires that you as the Controller are only using GDPR-compliant Processors, and having a DPA in place with your Processors contractually ensures that this is the case.
To make things as easy as possible, Handshake has a DPA prepared for you, and you can get a copy by emailing us at email@example.com.
Additionally, we will be including DPAs in new contracts by default - new contracts this summer will have our DPA attached as an addendum - so there aren’t any additional steps beyond that. You can check your contract to see if you already have a DPA on file with us.
Please don’t hesitate to reach out to us at firstname.lastname@example.org if you have any questions!
Why does my institution fall under GDPR - a European regulation?
GDPR affects all businesses and organisations that process information of natural persons in Europe. This may pertain to your university if you accept admission information from students located in Europe, if you have a campus in Europe, or if your students do study abroad in Europe. This means that GDPR may impact you, regardless of where your organisation is located.
Part of the process of becoming GDPR compliant is identifying students that may be subject to GDPR - which is why are working closely with universities to accurately identify such students. Many businesses or organisation may not be working toward GDPR compliance if they believe they do not process information for users subject to GDPR. Please consult with your university’s counsel to determine if you need to comply with GDPR . If so, you can be confident that Handshake will be GDPR compliant by the May 25th deadline - but you will also want to ensure that your other vendors will be as well.
Where do I go for any other questions?
You can reach us at email@example.com for any questions about GDPR!