Educational oversight is now a standard part of the framework for both higher education institutions (HEI) and further education institutions (FEI), with a satisfactory inspection report from one of the approved regulators being a condition of holding a Tier 4 Highly Trusted Sponsor (HTS)licence, as well as 'significant for specific course designation' which enables institutions to access student loan company funding.

Increased sanctions for breach: the current £500,000 maximum fine for breach of the DPA is likely to be increased to a percentage of the annual global turnover of the organisation in breach. This will significantly increase the risks of non-compliance.

Training: accountability and transparency are important aspects of the Regulation. This increases the value of having a clear, established internal system for data protection, which requires more than simply using technical solutions for data security. Training staff in best practice and the required standards is important to ingrain a culture of data protection compliance. It will include continuous monitoring and reviewing of data processing procedures on a micro level by those who process personal data every day as part of their job.

Safeguards against data breaches: implementing effective safeguards is key. These may include limiting access to personal data except on a “need to access” basis; using password protection; and anonymising personal data (particularly sensitive personal data) except where it is strictly necessary for the data subject to be identifiable.

Data subjects’ rights: the Regulation introduces more rigorous, specific standards relating to the consent of data subjects. Consent to process personal data will need to be given explicitly either by a statement or by a clear affirmative action that is the result of choice by the data subject. Pre-ticked opt-ins would not be acceptable and silence, mere use of a service or inactivity would not constitute consent. Consent must be limited to specified purposes and will lose its validity when the purpose ceases to exist or the processing of personal data for that purpose is no longer necessary.

Reporting data breaches: the Regulation introduces a mandatory obligation to report personal data breaches to the regulator.

Dedicated data protection officer: organisations processing data on more than 5,000 individuals per year are required to appoint a dedicated internal data protection officer.


By the latest estimates, the Regulation may be adopted in 2016 with a two year implementation period before it comes into force. Although the Regulation still needs to be finalised, the key principles will exist in some form when the Regulation comes into force and we do not expect the current text to change significantly. Therefore, we would recommend educational establishments to prepare for the impact of these changes, in order to be well-placed for compliance with the new regime. We are happy to offer a review of your current data protection procedures and can advise on the best ways to ensure continuing compliance as the Regulation comes into force across the EU.