Home   |   Join the NSPA   |   Contact Us   |   Sign In
News & Press: New & Featured Resources

Impact of EU General Data Protection Regulations (GDPR) on Scholarship Providers

Saturday, May 5, 2018  
The EU and UK and Canada have much stricter privacy policies than the US.

The GDPR applies to U.S. scholarship providers to the extent that they collect personal information from international visitors to their web sites. Personal information includes not just name, email address, phone number, etc. but even just an IP address. It also involves rules similar to COPPA for consent (e.g., parental consent required for children under age 13). The GDPR goes into effect on May 25, 2018.

While it unifies the privacy rules across the EU, it also comes with severe penalties for violations.

The official GDPR web site is https://www.eugdpr.org.

If a scholarship provider allows international students to apply for its scholarships, it would be strongly advised to make sure it is compliant with all provisions of GDPR. In particular, they should make sure that their web applications include a specific statement of consent to collect the information consistent with the GDPR requirements, they use adequate security (they may be required to assign someone on staff the responsibilities of Data Protection Officer), pseudonymisation may be necessary, and comply with the right of access and right of erasure.

Note that limiting applications from international students to students who are already in the U.S. may not be sufficient.

Privacy rules get really tricky. For example, sending "unsolicited" email to a Canadian email address may result in a violation of Canadian privacy laws. Unsolicited is broadly defined, too broadly. At least one of my previous employers decided to deal with it by blocking all outbound email to .ca email addresses.

Thank you to the following organizations for their generous support!

Membership Software Powered by YourMembership  ::  Legal