The General Data Protection Regulations are the ‘biggest change in 25 years’ to how organisations must manage personal data, but only a fifth of schools surveyed recently are aware of the May 2018 deadline.
There is a concern among Schools and Academies that they are unprepared for the impending changes to data protection regulations that could expose them to large fines.
The new General Data Protection Regulations (GDPR) will come into force on May 25, 2018 and will replace existing data protection laws (the Data Protection Act 1998).
These findings come after the NHS recently fell victim to the ransomware global cyber-attack, when a virus infiltrated its outdated XP Windows system, blocking access to patient records.
These new GDPR rules apply to all businesses and organisations that use personal data – including all schools and Academies.
Whether you have employee data, customer data or supplier data or on this case pupil details – if the data relates to an individual you will be required to comply with these new regulations.
Key changes under the GDPR include:
Compulsory notification of data breaches
data breaches which impact on privacy will have to be notified to the Information Commissioner, the UK data protection regulator, within 72 hours. There is an obligation to notify affected individuals in certain circumstances. Schools will need to monitor their systems to know whether or not there has been a breach. A breach might range from a parent database being hacked or a letter being put in the wrong envelope.
Obligation to be more transparent in how personal data is used
Schools will need to be open with individuals about what data they collect and what is being done with it.
The right to be forgotten
Individuals can require schools to erase their personal data and while organisations need to have a process to action this, the right is not wide-ranging.
Increased rights given to individuals
The rights that individuals already have in relation to accessing the data that schools hold will be extended. Additional information will need to be provided and generally in a shorter timescale. It will also no longer be possible to charge a fee.
Harder to obtain and maintain consents for marketing activity
Not all use of personal data needs consent. However, consent will be harder to obtain and maintain under GDPR.
The GDPR also contains new provisions intended to enhance the protection of children’s personal data. This includes privacy notices for children, which must be written in a clear, plain way that a child will understand.
The GDPR also states that parental/guardian consent for access to online services is required for children aged 16 and under. However, parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.
A number of resources have been published by the Information Commissioner’s Office (ICO), including a “12 steps to take now” document and a GDPR self-assessment checklist.
Key among the 12 steps to take now, the ICO recommends:
- Consent: you should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Information you hold: you should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
- Data breaches: you should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Individuals’ rights: you should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Data Protection Officers: you should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
Under the new rules, the maximum fine for certain data breaches in the UK will rise from £500,000 to €20 million.