If you’re looking for specific details on how to set up your sync, please check our GDPR Frequently Asked Questions here.
In just a few weeks, Europe’s new General Data Protection Regulation (GDPR) will go into effect and impact companies and organizations around the world that handle personal data of EU data subjects, including Handshake and our university partners. Handshake is strengthening our commitment to student privacy and we want to help our partners on campuses across the country do the same.
To help simplify this process for our Handshake community, we pulled together a short guide that breaks down GDPR’s scope and the ways you can strengthen the data processing activities in your campus community. You should always speak with your University Counsel’s Office for specific legal advice related to how your Career Center treats student data.
Tell me more about GDPR
GDPR, which goes into effect on May 25, 2018, aims to strengthen and standardize user data privacy across the EU nations and any organizations that handle the personal data of EU data subjects, regardless of the location of the organization. To put it in context for the higher education community specifically, if you’re a university in the United States with students from or residing in the EU, GDPR may apply to you.
How does GDPR affect universities and students?
If your campus is home to international students from the EU or if you have students that study abroad in the EU, they may fall under the scope of GDPR. This means there are special regulations for how their data is processed and stored, both for you directly and any partners you work with, like Handshake!
Let us break it down a bit further.
To help you and Handshake comply with GDPR, we need to work together! Under GDPR, you as a university are considered the Controller and Handshake is considered the Processor for the data you transfer to us to provide Career Center services. This means:
1) You’ll need to identify for us which students’ data fall under GDPR.
We are relying on you to tell us which student data you transfer to us is subject to GDPR. In your student sync, we’ve added the ability to include an “eu-gdpr-subject” flag. GDPR requires identifying which students are EU GDPR data subjects, and we will need your help as the Controller to provide this information. Please add this flag for your students who are EU GDPR data subjects! You can learn more about this in our GDPR FAQ here.
2) We can only process EU data subjects’ data at your direction.
As the Controller, you are responsible for obtaining the right consents from your students regarding how you will be processing their data and which vendors you will be sharing their information with. You must have a GDPR-compliant Data Processing Agreement (DPA) in place with all vendors you work with to ensure that all your vendors are GDPR compliant and will be only processing your data at your direction. You can request Handshake’s DPA by sending an email to firstname.lastname@example.org.
3) We’ll need to help you when students choose to exercise their rights under GDPR.
We have the responsibility to process any requests you send us from students to delete, alter, or export their information. On Handshake, this is as simple as a quick email to email@example.com. We have implemented this so we can process these requests for any students who ask, whether they are covered by the GDPR or not.
4) For students who choose to join Handshake to take advantage of additional features we offer, we will be the Controller for the data they submit (as always, students own their own data) and will follow the GDPR’s requirements for how we collect and process that data.
What is Handshake doing?
As you know, Handshake’s motto is always “Students First”. We take student data and privacy very seriously. Students are always in control of their data - from how it is processed and stored to how it’s being used publicly. This will continue to be true under the new GDPR regulations.
Here at Handshake, we’re going beyond the requirements of GDPR to ensure we have a robust structure in place to protect student data and privacy. Here are some of the steps we’ve taken:
- We’ve consulted with a number of top employment and privacy lawyers to ensure we’re meeting GDPR to protect students’ information.
- We’ve met with many universities to discuss preparations for GDPR and best practices for data security and privacy on campus.
- We’ve ensured all of our sub-processors (the vendors who provide support to Handshake, like email or analytics providers) will also be GDPR compliant.
- We will require University-identified GDPR data subjects to provide explicit consent for data processing not already collected by the school, doubling down on students’ ability to control how their information will be used and shared within Handshake.
- We’ve built functionality to assist our school partners in responding to requests from student users to correct, amend or delete their personal data.
- We follow industry security best practices and perform annual third-party security audits with top security experts.
- We’ve added a quick way to easily reach us - for privacy related requests or questions, just send an email to firstname.lastname@example.org.
We strongly encourage you to confirm all campus vendors are taking similar steps to ensure the privacy and security of your students’ data.
Where can I go for more information?
If you have additional questions about GDPR, you can visit our help center article here to learn more about:
- How to get a Data Processing Agreement (DPA) set up with Handshake
- How to update your student sync to specify which students are EU GDPR data subjects
- Additional information that we may add in the future as requested by you and our other University partners to assist in becoming GDPR-compliant.
If you have any questions that are not answered by this blog post or our help center article, please don’t hesitate to email us at email@example.com - we’re here to help!
This is for informational purposes only. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. Please reach out to the staff at your office in charge of GDPR and legal counsel to receive tailored guidance on how the GDPR may impact you.