Taking a heightened position in mainstream media across Europe, the General Data Protection Regulation (GDPR) could influence business motives. However, although it’s one of the most dominant sectors in the world, education is sometimes left unaddressed.
The introduction of new legislation
GDPR is undoubtedly the biggest shift in European legislation in years, but to know how this will influence the education sector, you need to have an in-depth understanding of what it actually is. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018. Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into UK law by the government and enforced as if it was its own initiative to help unify data protection.
The must-knows for education establishments across the UK
Education centres collect an immense amount of information of the years, with details on students of the past and present — as well as staff that come and go. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities, and this will eventually be impacted by the GDPR legislation.
Education establishments in the UK currently have a ‘duty of care’ laid out by the DPA, which will soon be replaced by GDPR, and store information in a secure location to reduce the occurrence of any data breaches. Although GDPR will still have DPA elements, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.
If education centres don’t comply with the new legislation enforced by the EU and adopted by the UK government, schools could find themselves paying extortionate fines. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could amount to £20 million, or 4% of global turnover, for both data controllers and processors.
Data Processor Definition: Processing data on behalf of the data controller — an external factor to the education centre.
Data Controller Definition: How personal data is processed — in this case, within education centres.
Once GDPR has been implemented on the 25th of May 2018, it will become a criminal offence to use a data processor that does not specialise in IT asset disposal. Education establishments will have to prove that they are working with a credible organisation when it comes to the disposal of data.
Currently, under the DPA, education institutions are not required to have a contract of agreement with the data processor that they use. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.
How to take action to be ready for GDPR
With your education centre already complying with the DPA, this means you’re not too far behind to make the appropriate changes ready for GDPR. However, just because you’re complying with DPA, doesn’t mean you’re complying with GDPR — and this means you must review and make some adjustments to your current policies.
According to the Information Commissioners Office, the education sectors must start preparing in advance and there are a few ways to do this. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.
Begin by looking at who receives your data, and complete an information audit to help determine each organisation. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might carry out.
Year after year, people leave your establishment and you will likely keep their records for a while — but at one point, you will need to get rid of it. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.
It’s vital that you have an efficient data breach procedure ready if one was to occur, ensuring that you have the capability to weaken the situation. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.
Here at 2020 Vision, suppliers of efficient access control systems and experts in the security industry, we think that those working in the education sector need to look over their current methods and take more time to consider the use of data under GDPR.