Demand from our further education members for information and advice on the new General Data Protection Regulation (GDPR) has been strong and seems to be increasing as the day draws nearer when it becomes law – 25 May, 2018.
The GDPR is a huge subject with wide-ranging ramifications and colleges have much to get to grips with. You will need to review how your organisation collects, processes, stores and shares its personal data of staff and students.
If you’re unsure whether your college is well prepared, help is available from the education sector’s technology solutions not-for-profit, Jisc. We have a variety of free advice to offer, including blog posts, online guidance and regular training courses. And now available on our website are recordings of speakers at our GDPR conference, so if you missed it, you won’t miss out.
Among main points to consider are:
There will be stricter rules requiring organisations to implement policies and document procedures which serve to ensure – and evidence – compliance with the GDPR.
Organisations should conduct an information lifecycle audit to identify and document how personal data is collected, accessed, shared, analysed, and retained. Full record-keeping will be important, too.
An audit will also better enable organisations to use that data in collaboration, and learning analytics projects (as examples), in the knowledge that the data is accurate, up to date, and can be fairly and lawfully used.
Privacy by default and design
Organisations will be obliged to implement data protection and security “by design and default” – to build in data protection from the outset. This includes assessing risk before processing begins, and identifying measures to address those risks.
Higher standard for valid consent
Where organisations rely on consent for processing, the GDPR will introduce a higher standard for this to be valid; it specifically prohibits silence, inaction or pre-ticked boxes as being means to obtain consent. Individuals must be free to refuse consent without detriment.
Increased data subject rights
Data subjects will be able to request relevant information, which must be provided free of charge within one month, unless the request is complex, in which case, a further two months may be granted.
Individuals will have the right to know what personal data is being collected, for what purpose, for how long and to whom and to where it is being transferred. They will also have the right to data portability and the highly-publicised right to be forgotten.
Reputational damage and fines
Security breaches inevitably attract publicity and criticism, so organisations should be aware of the risk of serious reputational damage caused by a data breach. The ICO had said that the fines regime will remain proportional to any poor data processing practices leading to a breach, although the fines’ limit has increased substantially and is now a maximum of €20 million, or 4% of annual turnover, whichever is greater.
Data protection officers (DPOs)
Organisations whose core activities involve large-scale monitoring or processing of sensitive data may need a DPO. In our experience, most universities and colleges have concluded that awarding degrees involves “large-scale monitoring” so are assigning DPO roles and responsibilities. A DPO must operate independently and not take instructions from their organisation.