Before the Brexit vote, the EU General Data Protection Regulation (“Regulation”) was expected to become law in the UK in May 2018, replacing the current Data Protection Act 1998. As it appears unlikely that the UK will leave the EU before 2019 at the earliest, the Regulation is expected to come into force as planned. In addition, the Regulation is expected to remain (broadly) in force once the UK leaves the EU. The Information Commissioner’s Office provided a statement following the Brexit vote that:
“…if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
Therefore, our best advice is that independent schools should continue to prepare for the Regulation becoming law in May 2018, as planned. We have set out an overview of some of the key changes below.
Organisations will no longer be required to register with the ICO but, instead, schools will need to keep their own detailed records of their processing activities. There is also a new accountability principle which will require organisations to demonstrate that they comply with the Regulation. The new Regulation will therefore significantly raise the compliance bar and fines for non-compliance will increase dramatically from the current maximum level of £500,000 to up to a maximum of 4% of annual worldwide turnover or €20,000,000 (whichever is the higher).
A new definition of “consent” will require consent to be informed, specific, freely given, unambiguous and capable of being withdrawn at any time. If consent is retained as a basis for processing personal data, school governors will need to ensure that the consent will meet the new requirements. Schools will also need to keep records which evidence the consent provided, and be prepared to deal with situations where consent is not given or withdrawn.
There are new requirements under the Regulation which require parental consent to processing personal data where a child under 16 years old is offered online services (e.g. social media services). Although the requirement applies only to the direct offer of online services, it is possible that the general age of consent to processing of personal data by children may be brought into line with this requirement. There is the ability for member states to vary the age limit down to no lower than 13. This is an area schools should monitor as it could have an impact on when parental consents may be required for processing personal data and exercising rights e.g. Subject Access.
The new Regulations will require very specific information to be given to individuals about how schools process personal data in Privacy Notices. There is also a new legal requirement in the Regulation to ensure that Privacy Policies are concise, transparent, intelligible, easily accessible and written in clear language, in particular where addressed to children.
The right of Subject Access will be retained but in most cases the ability to charge a fee of £10 will be abolished. In addition, the new Regulation gives individuals a number of additional rights, including the right to be ‘forgotten’ and in certain circumstances the right to restrict processing of personal data and the right to have electronic personal data in a portable format. These rights may impact on how schools collect, use, store and/or provide personal data, and schools will need to ensure they are aware of what individuals are (and are not) entitled to.
Under the new Regulation it will be a requirement for organisation to report to the regulator any personal data breaches which are likely to result in risks to individuals, without undue delay and, where feasible, within 72 hours. Where there is a high risk to individuals as a result of the breach, there may also be a requirement to notify the breach to individuals.
By the time the GDPR comes into force on 25 May 2018, schools will be expected to have full compliance measures and procedures in place which deal with many of the key compliance matters outlined above, including:
- compliant privacy policies
- policies and procedures for privacy impact assessments
- policies and procedures for notifying and dealing with data breaches
- policies and procedures to ensure that any activities involving the processing of personal data reflect and embody the principles of data protection "by design" and "by default"
Given the breadth and depth of the changes to data protection law that are afoot, we recommend that schools seek advice in relation to the new Regulation.