If your inbox is anything like mine, you recently received a flurry of emails from companies about changes to their privacy policies. Some may have even asked you to opt in to newsletters you already receive.

The messages and policy updates were an effort to comply with the General Data Protection Regulation (GPDR). The European Union legislation went into effect May 25.


GDPR essentially says that if I reside in the EU, companies can’t collect and store information about me without my permission. And if I give that permission, I should be able to see what they know about me, have it deleted (“the right to be forgotten”), or even transfer it elsewhere. Among other provisions, there are rules about handling personal information shared through things like online purchases.

Why are U.S. companies spending resources to comply with an EU regulation?

Because the internet is global, companies that operate and market digitally interact with customers everywhere, including the EU. 

It remains to be seen how the law will be enforced for American companies, but experts advise erring on the side of caution and complying. Some organizations also see transparency as good for customer relations.

Having two separate policies and practices (one for site visitors from the EU for example, and another for everywhere else in the world) would be more burdensome than following a single approach for all visitors. So certain companies are cleaning house, as it were, and adopting measures to follow GDPR across their enterprises.

Just like a U.S. retailer that doesn’t directly advertise to a customer in Spain, but is required to store that person’s data in a GDPR-friendly manner if they make an online purchase, U.S.-based schools must follow GDPR when managing personal data that applicants provide from the EU. (This law firm sums it up well).

Schools that directly recruit prospects in the EU will likely be held to an even higher standard of safeguarding applicant information.

What about email and digital marketing? And collecting behavioral data?

The same example of the American retailer interacting with potential customers in Spain applies here, too. To illustrate: If submitting a request for information form enters a prospect into a drip email campaign, but the form gives the impression that the person will only receive one article of correspondence, it’s probably in breach of GDPR.

Instead, make it clear that you’ll be providing additional information in the future, and tell people they can unsubscribe at any time.

If your website, landing pages, and other digital properties track clicked links, page views, and other behavioral information, you need to make that known to visitors, too.

What should colleges be doing to comply with GDPR?

We recommend following the lead of proactive U.S. companies that are updating their data policies and processes across the board — for prospects and applicants in the U.S., EU, and everywhere else.

It’s not only simpler to have a unified approach, but it’s also a good way to develop trust with students. Just as Generation Z is used to sharing personal information in a way older generations probably aren’t, they are also more aware of data privacy and transparency issues.

You’ll need to work with your technology partners and in-house teams to provide ways for students to see the data that’s been collected about them. If they want it deleted, they should have an easy means to do so. And if predictive models are used in making admissions or financial aid decisions, students should be able to see how the model arrived at the decision. 

Element451, for example, simplifies data management by putting it all in one place. If a request comes in to see what the marketing or admissions department “knows” about a student, schools don’t have to track it down from multiple sources.

If you’re behind or haven’t started updating your data practices, you’re not alone. According to an article Campus Technology published a day before the policy went into effect, “several universities have set up working groups to steer campus efforts on GDPR, but most are in the early stages of identifying impacted systems and processes.” 

Of the five universities the publications contacted for comment, two didn’t respond and the others didn’t want to be interviewed.

It shouldn’t be surprising that higher ed institutions are lagging behind. Commercial entities, who arguably have more resources to get up to speed, are struggling.


The Ponemon Institute surveyed more than 1,000 companies in April, half of which reported they wouldn’t meet the deadline. Tech companies accounted for sixty percent of those surveyed.

My school isn’t where it needs to be in implementing GDPR measures. Should I be very worried?

Richard Sisson, a senior policy officer for the Information Commissioner's Office (ICO), the group responsible for enforcing GDPR, said “we are not suddenly going to issue huge fines immediately.”

"If you are doing work that you can to comply, if you are working towards the accountability principle, if you have plans in place to show you are working towards compliance, we do take those things into consideration.”

That’s good news, but keep in mind that penalties for breaking GDPR are up to four percent of global revenue, or 20 million euros ($24.4 million), whichever is greater. 

If you’d like to talk about how Element451 can help your digital communications comply with GDPR, get in touch: connect@element451.com

You’re not exempt just because you’re not in the EU.

GDPR: What Higher Ed Marketers & Admissions Teams Need to Know

You’re not exempt just because you’re not in the EU.

Talk With Us

At Element451 we help schools with software that keeps students engaged and enrolled.