In a strange juxtaposition, the new General Data Protection Regulations (GDPR) will come into force in May 2018, with the key aim of harmonising data protection across the EU at a time when we will be moving closer to leaving that union.
Irrespective of Brexit, the UK is required to adopt the GDPR, and a bill is currently before Parliament to reinforce existing data protection law, which will be supplemented by the GDPR in May 2018.
The new Data Protection Bill and the GDPR will replicate much of the current regime, but will also introduce new and tougher elements that education providers will need to get to grips with.
For a start, the fines payable for non-compliance will increase from a maximum of £500,000 to €20m. Whilst for most education institutions penalties in this ball park may be unlikely, for large education providers, particularly those who operate across several countries such as universities, this will be of concern.
The key changes that may have the greatest impact on education providers
- Consent, as a legal basis for processing, will become harder to obtain. The GDPR will require consent to be demonstrated by clear positive action taken from a free and informed position. It will need to be unambiguous that the individual fully understood what they were consenting to. Education providers will need to review the methods by which they obtain consent from the various individuals whose data they process, which will include prospective, current and former students (and in certain cases their parents) and employees.
- All data controllers will need to ensure privacy by design – essentially implementing processing systems that protect data as they process it. Data controllers will also need to conduct impact assessments, before adopting new technologies, to process personal data, which is likely to pose a high risk to data subjects. Potentially, this provision has a wide application, given the sensitive personal data relating to students that education providers may routinely process.
- Data controllers will no longer need to register with the ICO, but will need to maintain detailed documentation of their processing activities. For many education providers simply working out all its processing activities will take time. This provision will only apply to those employing more than 250 employees, unless the processing is likely to pose a high risk to individuals, or the processing includes sensitive personal data. Again, in the education context these two tests could easily be met.
- The GDPR introduces direct compliance for data processors. This may lead to an increase in the cost of data processing services such as payroll. Education providers using data processors should dig out and review their agreements to ensure that they are satisfied as to where the liability for non-compliance will fall under the terms of the agreement.
- Education providers will be required to notify the ICO of all breaches without delay, unless the breach is unlikely to result in risk to the data subject. If the breach is likely to cause high risk, the data subject must be informed, unless an exception applies. Education providers will need to put in place data breach response plans, which should include a PR element.
- Data subjects will have the right to be forgotten. This will mean students and employees will have the right to apply for personal data to be deleted. This will not be straightforward in the education context, and education providers will need to be prepared for how it will respond to such applications.
- Finally, data subjects will have the right to data portability - to request to have their personal data provided in a transferable format and to be allowed to transfer it to another provider. In the education sector, this may be very attractive to students moving schools, and those who want to retain more than their examination certificates. Education providers will need to consider how they will comply with these rights.
The GDPR requires education providers to take action to implement its provisions, and the clock is ticking. For more information as to what steps should be taken, please refer to our Countdown to Compliance article.