September | October - Issue 4 TB Connects

What's on our Agenda

As we start a new academic year, TBC’s Board is ramping up for another successful fiscal year fulfilling our mission:

The Boston Consortium for Higher Education empowers its members to thrive in a dynamic and challenging environment. Through innovative programs, initiatives and through leadership, TBC enables members to improve their financial and operational performance and the quality of their offerings.

We are devising new ways to help each other with Workday and GDPR (see below), answering your requests and creating more CPE (Continuing Professional Education) opportunities (stay tuned), and looking forward to the great work our Communities of Practice and working groups continue to do. A big thank you to the Workday Task Force which has been instrumental in upcoming collaborations.

Finally, I’d like to extend a warm welcome to our new Director of Programs, Jessica Smith. Jessica started last month and comes to us from BU’s School of Medicine, where she was Director of Student Affairs, and Brown University where she was the Manager of Faculty Administration. If you’d like to connect with her, please email her at Welcome Jessica!

Looking forward to another fruitful year.

Mac Hisey
Chair, The Boston Consortium for Higher Education
CFO, SVP of Administration and Finance, Berklee College of Music


TBC continues to facilitate and collaborate with the 17 member schools in many areas. The implementation of Workday has been an important topic this past year. Out of TBC’s 17 member schools, nine have implemented, or will be implementing, Workday. In April, TBC hosted a Workday Forum and formed a Task Force to discuss the many ideas for collaboration that came out of that discussion.

First, thank you to our Workday Task Force:

Jessica Cataño, Babson
Mark Roberts, Babson
Christine Lyalko, Bentley
Anne Pugliese, Bentley
Lauri Doniger, Brandeis
Ken Freda, Brandeis
Jim La Creta, Brandeis
Jeff Stein, Brandeis
Ravi Ravishanker, Wellesley
Mags Burry, Workday

The Task Force has created a resource for Workday information. Use it now and in the future to connect with others who can help answer questions and offer Workday-related tips! Access, add and update your information via this shared spreadsheet.

We have also created four new listserves – Workday Finance, Workday HR, Workday CIO, and Workday Student – to help support and share Workday information. If you are interested in participating in one or more of these listserves, please email Shanone Coakley.

Workday will present an all-day Student Workday Demonstration on September 12 at Babson. This demonstration is open to all member schools regardless of their current Workday status (maximum 5-6 attendees per school, please). The Student Workday Demo will cover Financial Aid, Student Finance, Curriculum, Recruiting and Admissions among other topics. If you would like to attend or require further details, please email Shanone Coakley.

Finally, Workday and the Task Force have been discussing further training opportunities in Boston. Stay tuned!

If you have any Workday suggestions or questions, please contact TBC’s Director of Programs Jessica Smith

GDPR - Gerneral Data Protection Regulation, May 25, 2018

TBC's Internal Audit and Risk Management teams were working on a joint article on GDPR (General Data Protection Regulation) for TBC Connects, when they came across a blog recently published by United Educators. This blog was written specifically for Higher Education and hits on all the critical points. United Educators granted TBC permission to re-print it:

GDPR Basics for Educational Institutions

The General Data Protection Regulation (GDPR), which became effective May 25, 2018, protects data privacy rights of all “natural persons” (or “data subjects”), regardless of citizenship, who are inside the European Union (EU), including tourists. It also imposes numerous rules and restrictions on organizations that process “personal data,” even if they have no physical presence in the EU. Many U.S. educational institutions (colleges and K-12 schools) are subject to the GDPR’s requirements. To understand the basics of the regulation and whether your institution may need to comply, consider the following overview and recommendations.

Which Organizations Are Covered, and When?

A U.S. educational institution is subject to the GDPR if it has an “establishment” in the EU, such as a study abroad program, even if it does not own or control the facilities used, or if it offers EU consumer goods or services, such as distance learning. In addition, the GDPR would apply to institutions that:

  • Have employees working or performing research in the EU
  • Use personal data originating from the EU
  • Recruit potential students or employees in the EU
  • Conduct certain other outreach to individuals (e.g., donors) in the EU.

Caution: This is not an exhaustive list. Institutions should consult counsel experienced in global data privacy laws to determine if individuals for whom they handle personal data are protected by the regulation.

Personal Data and Rights of Data Subjects

The GDPR places numerous restrictions on educational institutions that process personal data (information relating to an identified or identifiable data subject), including limitations on the types of personal data it can process. In addition, the regulation establishes many rights for data subjects. For example, data subjects must be notified in “clear and plain” writing about how their personal data is collected, used, managed, and disclosed. “Small print” privacy notices that contain legalese or jargon would not comply with the regulation.

Enforcement of the GDPR is primarily carried out by “supervisory authorities,” which the GDPR requires member states to designate. Each supervisory authority has broad enforcement powers, ranging from demanding information and conducting investigations and audits to issuing warnings and imposing fines. For extreme offenses, fines may run up to 4 percent of global revenue or 20 million euros (over $23 million), whichever is greater. In addition, data subjects can sue organizations in EU member state courts for violating the GDPR.

Institutions that are unsure of their GDPR status should determine, in consultation with counsel, whether they are obligated to comply. If so, it recommended to promptly take the following actions:

  • Convene a working group, including representatives from information technology, risk management, insurance, legal counsel, study abroad, human resources, student affairs, admissions, administration or business, and academic areas involved in international research. This group should review all institutional policies and procedures related to the collection, processing, and storage of personal data, considering questions such as:
    • What data is collected, from whom, and for what purposes?
    • Who processes data?
    • Are privacy notices GDPR-compliant?
  • Based on the group’s recommendations, revise policies and procedures appropriately
  • Train all affected employees

If you are looking for resources to assist with the development of a GDPR compliant privacy program, please feel free to reach out to Risk Management ( and Internal Audit ( Risk Management can help make you aware of resources available through various insurance companies. Many are available at little or no cost. Risk Management will also work with other TBC staff to develop additional resources member institutions are looking for. Internal Audit can be part of your institution’s working group so that they can become familiar with your controls. Internal Audit is available to share best practices, and will develop an audit plan to improve your GDPR privacy program.