Data protection evolved: How to make sure your school is ready for GDPR
Natalie Ruane explains the steps all schools will need to take before May 2018, to comply with the upcoming General Data Protection Regulation.
The General Data Protection Regulation (GDPR) is to come into force on 25 May 2018, replacing current legislation, the Data Protection Act 1998 (DPA).
Due to technological advances since the DPA’s enactment, there has been a great increase in the quantity of digital information that is stored. The current system of data protection is therefore no longer suitable.
The GDPR aims to make data protection consistent across Europe, minimise the risk of breaches and uphold the protection of personal data.
Who does the GDPR affect?
The GDPR affects both data ‘controllers’ and ‘processors’:
- Data controllers are those who determine the means and purpose of personal data processing. For example, an organisation employing recruiters.
- Data processors are those who process personal data on behalf of the data controller. For example, those involved in marketing, IT services and HR functions, including payroll for the school.
Previously, data processors were bound only by contractual obligations imposed on them by the data controller. However, the GDPR now imposes direct obligations upon processors.
Data controllers are placed under an obligation to demonstrate compliance with the GDPR.
Under the GDPR, consent from individuals to process personal data must be in the form of a positive opt-in. This means consent may no longer be given by pre-ticked boxes, inactivity or inferred by silence.
Consent to processing personal data should not be merely included in an school's Terms and Conditions, but should be separate.
The GDPR affords individuals the right to:
- be informed;
- restrict processing;
- data portability;
- object; and
- not be subject to automated decision-making including profiling.
The GDPR emphasises the need for transparency in how personal data is used. Information relating to the processing of data must therefore be concise, easily understood and freely provided, for example through the use of a privacy note.
Previously, a request to obtain a copy of personal data was subject to a £10 access fee. This fee has been removed under the GDPR. Information must be provided to the individual without delay and within one month of receipt, rather than the previous 40 days.
Further, the GDPR has removed the requirement for an individual to prove personal data may cause unnecessary and significant damage to enable its erasure. Where data is erased, any third party it was shared with must be contacted and asked to erase the data.
The right to data portability listed above has been introduced by the GDPR.
This right enables an individual’s personal data to be transferred from one service to another.
In order to comply with this right, schools must be able to transfer personal data in a safe and secure manner and in a machine readable form. Again, you must provide this information freely and without undue delay and within one month of the request.
The GDPR afford special protection to the personal data of children, especially where they are engaged in online services.
A child aged 16 and above is able to provide consent themselves, although this age may be reduced to 13 in the UK. If a child is aged below 16 a person with parental responsibility, i.e. their parent or guardian, must provide consent on their behalf.
Where the consent of a child is sought, the consent must be verifiable. The privacy notice informing them of how their data is to be used should be written in a language which can be understood by a child.
Accountability and Governance
The GDPR’s emphasis of accountability and governance again reflects the importance on transparency in relation to data protection.
The GDPR introduces an accountability principle which imposes a positive obligation for schools to demonstrate compliance with the GDPR. This can include implementing measures to ensure compliance, maintaining relevant documentation and using data protection impact assessments (DPIA) where required.
Further, you must appoint a Data Protection Officer (DPO) if you are:
- A public authority;
- An organisation carrying out regular and systematic monitoring of individuals on a large scale; or
- An organisation carrying out large scale processing of special categories of data such as health records or information regarding criminal convictions.
The GDPR introduces a duty on the processors to report any breach of data without delay to the controller. The controller must then report certain data breaches to the relevant supervisory authority and, in some cases, to the individuals affected.
The supervisory authority must be notified within 72 hours where a breach is likely to result in a risk to the rights and freedoms of individuals. For example the risk of financial loss, discrimination, damage to reputation or loss of confidentiality.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, notification must be given to the individual directly. The threshold for notifying individuals is therefore higher than notifying the supervisory authority.
Enforcement and Penalties
Prior to the GDPR, the supervisory authority has no power to impose administrative penalties. However, there are now two levels of fines the authority may impose.
For lesser violations a fine of up to €10,000,000 or 2% of worldwide annual turnover can be made, whichever is greater.
For serious violations, such as a failure to notify the authorities of a breach, a fine may be imposed of up to €20,000,000 or 4% of annual worldwide turnover, whichever is greater.
Elizabeth Denham, Information Commissioner, has stated claims that the ICO will issue large fines to make an example out of organisations is merely scaremongering. She insists that the ICO’s aim is to advise and educate organisations and confirmed that issuing fines will be used as a last resort. Organisations may face sanctions from the ICO including warnings, reprimands and corrective orders. The publicity impact of such sanctions may be large.
Actions to Take
Due to the rights afforded, it is advised that systems for retrieval and erasure are reviewed in order to allow compliance in an efficient and timely manner.
Additionally, a review of all personal data held is recommended in order to assess what data you hold, how consent has been received, the lawful basis on which you hold the data, how the data has been received and who it has been shared with should any data need to be erased, rectified or requested. This information should then be documented. It is advised that any personal data held could be encrypted or pseudonymised to prevent loss of confidentiality.
Thought should be given to the requirement and appointment of a DPO. Further, it should be considered whether further policies and procedures should be created in order to demonstrate compliance with the GDPR, including revised privacy statements and consent procedures, DPIAs and procedures for detecting, investigating and reporting breaches.
Finally, it is recommended that those within your organisation are aware of, and understand, the changes to data protection due to the implementation of the GDPR and its impact.
If you have any questions relating to data protection and the GDPR, please contact Natalie Ruane 01768 800855 or firstname.lastname@example.org.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.