In May, the European Union implemented a new set of data privacy rules, known as the General Data Protection Regulation, designed to give people greater control over their personal data.

Across the pond, those rules have direct implications for how Yale and other higher education institutions collect information on alumni and other potential donors.

The rules represent the most expansive effort by a governing body to date to protect users’ personal data. European Union data subjects can now request access to their online data, while organizations and businesses are restricted in how they can collect and manage that information. Protections apply to all European Union data subjects, meaning that organizations like Yale, which collect information on those subjects, are restricted by the new rules.

In anticipation of the regulation’s ratification, Yale began conducting a review of its obligations under the new rules, Vice President for Alumni Affairs and Development Joan O’Neill said.

“Affected Yale departments, including the Development Office, are incorporating these obligations in their activities and processes,” O’Neill said. “Typically, these departments are performing privacy assessments and making any appropriate modifications to the collection and storage of information.”

Research on potential donors — known as “prospects” — is a key component of Yale’s own fundraising efforts as well as how the University identifies and cultivates relationships with major donors. Briefings on potential donors can run about eight to 10 pages, even as long as 30, with background information and newspaper clippings. The briefings may include such information as the name of a potential donor’s spouse, the number of children a potential donor has and where the children go to school. Some of the information-gathering work may also be outsourced to large electronic research firms that aggregate information about alumni and others. Under the new regulations, donors can request to see personal data of theirs held by Yale.

In an interview with the News last spring, former Vice President for Development and Alumni Affairs Terry Holcombe ’64 likened the work of the research firms to Facebook’s transfer of data to Cambridge Analytica, which used ill-gotten information to influence the opinions of American voters. Chris Connors, senior director of prospect research at Villanova University, said the research firms employed higher education institutions to conduct data research that will also be affected by the new European Union regulations.

Anu Bradford, a law professor at Columbia and expert in EU law, said the GDPR will protect Yale’s donors in Europe, limiting the information Yale can collect and retain on them. Donors protected by the GDPR can now ask for any of their own data held by Yale, including any correspondence that involves them, she added. Even without a data storage center in Europe, Yale must supply the data by request.

O’Neill said the University is only tailoring its processes to the scope of the GDPR, meaning the University will only comply with the requirements for person data of persons in the EU, not everyone in the Yale community.

Information linked to domestic fundraising will not be directly affected by the EU regulations, Bradford said.

Michael Regan, a former senior research analyst at the Office of Development, said that for higher education institutions, the implications of the new rules on marketing remain ambiguous.

Ideally, a European citizen must now actively consent to receive marketing material and fundraising solicitations if they have not previously done so, he said. Regan said some schools are already contacting affected constituents to ask for explicit consent to engage in marketing and fundraising under the new rules.

But under the regulations, Regan said, charities — including nonprofits like Yale — do not need to get an individual’s consent to send direct marketing materials as long as the person hasn’t explicitly requested not to receive the materials and the practices do not infringe on privacy rights. Taking advantages of these exceptions, some schools are continuing with their direct marketing strategies.

The GDPR has wide-ranging consequences for institutions of higher education, beyond institutional development, he said.

“Outside of the fundraising realm, the GDPR has led some colleges and universities to totally revamp and re-state their policies on privacy and data retention,” Regan said.

Stanford’s updated policy directly addresses the rights of European Economic Area citizens under the new rules. Yale’s online privacy statement does not.

Yale’s Office of Development is located at 157 Church St.

Hailey Fuchs | hailey.fuchs@yale.edu