Data isn’t new player on the field, however, its safety is becoming an increasing concern. On May 25 2018 the new general data protection regulation (GDPR) will be introduced to the UK – bringing with it a host of new regulations that will need to be considered. Sarah Briscall, commercial solicitor at Shulmans LLP, explains what schools need to be thinking about now
The general data protection regulation (GDPR) is a new law relating to data protection, due to take effect on May 25, 2018. This may sound like the distant future; however, there are significant steps that need to be taken to ensure your teaching establishment is fully compliant.
Comply now…for the future
Many question whether the need for compliance is still relevant, given the outcome of the referendum vote, however, as Brexit is unlikely to take effect before March 2019, all UK organisations, including educational institutions, will need to comply with GDPR as of May 25, 2018, or risk being in breach.
Even after Brexit takes effect, the UK will need to adopt its own legislation in place of GDPR, broadly similar in effect. The information commissioner, who leads the regulatory body governing data protection compliance in the UK, has made it very clear that this will be the approach, so steps taken now to comply with GDPR will not be a wasted effort, but instead a way of future-proofing your compliance. On that basis, GDPR cannot be ignored.
Who’s your DPO (data protection officer)
As an education organisation, you will be processing various categories of data, mostly relating to students and staff, in order to carry out basic daily operations. For organisations such as yours, GDPR will require the designation of a data protection officer (DPO).
Whilst this role may already exist in some form, GDPR imposes much stricter qualification and experience requirements, meaning that simply ‘wearing this hat’ alongside their day job is unlikely to be sufficient.
Recruiting or training a suitable individual should be an immediate concern, as in reality there are not enough sufficiently qualified specialists in the market to meet demand. Whilst educational organisations may be able to group together to hire a single DPO, the person appointed must be easily accessible to each organisation.
Managing sensitive data
Within the sector, a large proportion of the processed data will be classified as sensitive, such as information relating to health records, classification of ethnicity or religious indicators.
You should ask if your school:
- Takes adequate steps to ensure that it only collects information which is necessary for specific purposes?
- Only holds on to this information for as long as it is deemed necessary?
These are the concerns that must be addressed in advance of May 25, 2018.
Suitable consent?
Data relating to children also raises the issue of whether suitable consent has been provided for its processing. In most cases, you will rely on the consent of parents or guardians. This consent needs to be clearly documented and the reasons for processing it need to be specific. Under GDPR, consent is going to become much harder to rely on and steps should be taken now to address this point.
Understanding legal rights and complexities
Another factor for consideration is that individuals are becoming more aware of their legal rights in respect of data protection, with the scope of these rights increasing under GDPR. Subject access requests are increasingly common with individuals wanting to know what data is held on file about them and their children.
Does your organisation understand the data it holds and where it is stored to be able to comply with such a request in a reduced deadline of 30 days?
The time for action is now!
Failure to tackle GDPR in time for it to take full effect could lead to significant consequences for any organisation. The information commissioner’s office (ICO) will be able to impose fines based on a percentage of worldwide turnover or a fixed sum, whichever is higher. In some cases, this can be up to €20m, a steep increase from the current maximum fine of £500,000.
Perhaps more importantly, any step taken by the ICO can and will be published. This not only puts the organisation under the scrutiny of the ICO going forward, but puts any breach or investigation in the public domain. Where trust and safety are the foundation stones of your organisation, this reputational risk could have consequences far more damaging than any monetary fine.