So what is GDPR?
General Data Protection Regulation comes into force on 25th May 2018. The ICO will enforce this within the UK.
The UK government has stated that the GDPR will apply within the UK after Brexit and it will continue to cover all processing of Europeans’ personal data. Education providers must be compliant with GDPR or risk being on the wrong side of the law.
What does this Data Protection mean?
Quite simply this means you must look after the personal information you hold.
As our world has become ever more globally and digitally connected the issues surrounding the use of personal data (and who has access to it) have been very much in the spotlight, as a result, tougher regulations are being introduced to protect our personal data.
The idea behind the new regulations is to create an environment where we think about privacy by design – meaning that systems must have default settings that protect privacy from the very beginning.
The regulations will strengthen EU citizens’ rights to object to certain data processing of their personal information as well as the rights to have their personal data corrected and deleted.
These rights that have been enhanced include:
- subject access to personal information held about them;
- request inaccuracies are corrected;
- “right to be forgotten” the right to have information erased;
- stop unwanted direct marketing to the subject;
- prevent automated decision-making including profiling;
- data portability.
What does this mean for education providers?
All institutions dealing with the personal data of EU citizens will be held far more accountable for the data held.
If you hold and process personal information about your students, employees or suppliers, you are legally obliged to protect that information (the new GDPR replaces the old Data Protection Act in the UK).
- keep records of what personal data exists within the organisation;
- ensure a documented understanding is kept of why the information is held and how it is collected;
- know what life-cycle it has – only hold as much as is needed, and only for as long as needed;
- only collect information needed for a specific purpose;
keep it secure;
- ensure it is relevant and up to date;
- allow the subject of the information to see it on request.
Who is responsible?
Everyone! Any person who handles or maintains data is responsible for ensuring its protection; from directors to all employees, contractors, sub-contractors and suppliers.
ASIC are working with TMS who have developed a straightforward 12 step process.
What this means for institutions and their staff:
- need to be aware of the requirements of GDPR;
- need to be aware of the protection of privacy in your day to day job;
- your organisation is the data controller of your own data, and potentially the data processor or data controller of “client” information;
- you need knowledge of your information collections and how to utilise them;
- you need knowledge of the levels and types of information you can share outside of your organisation.
See the ICO’s guidance on preparing for GDPR.
This approach is also fundamental to UK and international standards on quality and information security, which is covered in Section B of our Areas of Operation, so along with compliance to GDPR, it should contribute to institutions’ achieving those goals as well.
In the UK there also new duties to report security breaches to the Information Commissioner’ Office (ICO) and, in some cases, to the individuals affected. So, therefore, planning what to do in case of a breach would be advisable to be added to your documentation on information lifecycles.
What are the sanctions for non-compliance?
Failure to adequately protect data, resulting in a data breach can potentially mean a fine of up to €20 million or 4% of an organisations turnover. For more information see the EU GDPR website.
In addition to the hefty sanctions, organisations could well face claims for compensation for damages suffered, as well as reputational damage and ensuing fallout and costs associated with this.
Are there any other reasons compliance with GDPR matters?
Apart from the obvious need to be compliant with the law, GDPR is intended to increase individuals’ awareness of their rights, so institutions are will face higher expectations from parents, students and stakeholders. As mentioned briefly in the section on penalties for non-compliance above, reputational damage and loss of trust can be extremely costly to an organisation.
Breaches of data protection are already becoming extremely damaging to organisations (the Cambridge Analytica case being one such example). JISC write that: “Recent failures of security and inappropriate practices by businesses and charities have been widely publicised and criticised, damaging the reputations of the affected organisations and raising questions for their entire sector.”
The education sector is not immune to this and as such, it is in your institution’s best interests to be compliant in the eyes of the law as well as ensuring your ‘brand’ demonstrates its integrity and commitment to quality, ethical, education practices.
If you have any further questions contact us, or if you require more information about TMS’s 12 Steps to GDPR compliance please get in touch with TMS using the details below: