On the 25th of May 2018 the Data Protection Act will be replaced by The General Data Protection Regulation, commonly referred to as GDPR. GDPR will place increased responsibilities upon every education establishment, regardless of the age group for which they cater, regarding management of personal data. Failure to comply with GDPR could result in fines of €20 million or 4% of a business’s global revenue, whichever is greater, and the impact upon OFSTED inspections and ratings would be severe.
The Background to GDPR
As the digital world developed, so too did public concern about how personal data is held, used and protected. The Government introduced the Data Protection Bill on 13th September 2017. The Bill sets out how data protection law will be updated and this includes applying the standards of the EU’s GDPR.
Who Will GDPR Affect?
GDPR will affect anyone who is deemed to be either a data controller or data processor. These are organisations and individuals within them who handle data or gather and store it. The impact upon those in education is obvious, as they have for a long time had to gather, manage and store very sensitive data.
How Will GDPR Affect Education and Learning?
Every school and establishment that offers educational learning will have to update its procedures and policies. There will be a requirement for Data Protection Officers to be designated. These DPOs will need to manage requests for access to data and ensure staff awareness of responsibilities, procedures and legislation.
There will be a requirement to understand the legal principles under which data is processed. Educational institutions will be more accountable for information they hold. Records must be kept of the information held and there will have to be demonstrable, documented understanding of how it is acquired, why it is held and anonymised, when it may be deleted and who may access it.
Schools will need to consider how they communicate information to students, parents and guardians. The age of pupils and students will impact upon issues such as consent and this is significant in adult education. Individuals will have an increased awareness of their rights regarding what information about them is held, and their expectations will naturally be raised.
Taking Steps towards Compliance
Those complying with Data Protection laws are well placed to ensure compliance but a lot of preparation is still required.
The basics towards compliance can be summarised as:
- Raising awareness; those who make decisions should be made aware of the approach of GDPR.
- Data audit: this should detail all personal information held, its source, and how it is shared.
- Information-sharing notices will need to be updated to reflect GDPR.
- Data Protection Officers should be designated in larger organizations, and HR should appoint a person who undertakes responsibility to share and educate on guidelines in smaller companies.
- A review should be undertaken of how consent is sought and managed data processing has to be lawful and its basis should be explained and detailed in privacy notices and documented.
- The information Commissioner’s Office produced a Code of Practice regarding Privacy Impact Assessments and lead staff should familiarize themselves with this
latest guidance from the Article 29 Working Party should become familiar.
An information lifecycle audit to demonstrate the way in which data is acquired, processed, handled and disseminated should be completed to aid understanding. The protection of data through the way in which systems for its management are designed is indicated as a way forward.