Organisations across different sectors in Europe are soon to be affected by the General Data Protection Regulation (GDPR)— and if you haven’t made the appropriate changes, it’s time to act now. However, although it’s one of the most dominant sectors in the world — education is sometimes left unaddressed.
Will GDPR impact us after Brexit?
Before we analyse how GDPR will impact your education institute, we need to have a clear understanding of what it is and what it will mean for Britain. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018. Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.
What you must know before 25th May
Educational organisations, whether these are schools or universities, all store information on their past and present students. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.
The education sector already complies with the DPA, ensuring that current data is stored safely and that there is a low risk of potential data breaches. Although this will still apply once GDPR has arrived, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.
Those that do not comply with the new European Parliament legislation will be subject to extortionate fines. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.
- What is a Data Controller — The data controller is the education establishment and it determines how personal data is processed.
- What is a Data Processor — The data processor, regarding the education sector, processes data on behalf of the data controller. It isn’t part of the school or education establishment itself.
Currently, education establishments aren’t obliged to use a data processor — but now, schools must contract someone who has the minimum capabilities of IT asset disposal otherwise they will be committing a criminal offence. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.
In the education sector, it’s not mandatory for institutes to have a contract of agreement in place with their Data Processor. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.
How to make the changes for GDPR
As your education centre is already compliant with the DPA, it will be an easier process for you to adjust your methods of protecting data. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.
There are many ways that education centres can make the appropriate changes when it comes to GDPR implementation, according to the Information Commissioners Office (ICO). But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.
One of the beginning stages is to conduct an information audit to see where the information you hold is shared. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.
As schools and universities collect data over the years, they will soon want to have it removed from their systems. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.
If a data breach was to occur, diluting the situation is essential to ensure that the event does not worsen — putting the correct procedures in place is beneficial as education centres will be able to react more appropriately. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.
This article was brought to you by 2020 Vision, a supplier of efficient access control systems and experts in the security industry. With GDPR just around the corner, it’s crucial for anyone operating within the education sector to review their current strategies and develop more knowledge surrounding this new legislation.