You may have heard of the General Data Protection Regulation (or GDPR); if you haven’t, it is a change in the legislation regarding how personal data can be stored and used and it comes into effect on the 25th May 2018. But what does it actually mean? What do we need to change in order to be compliant with this new law?
Global communications has changed significantly in the last 50 years, and with the growth of internet technologies and computing, it was inevitable that data privacy laws would need redoing – especially considering the legislation it replaces in the UK is now 20 years old (Data Protection Act 1998).
Apart from legislative reasons, there are real problems that GDPR aims to solve. It has become clear over the past 10 years that personal data is a valuable commodity (just look at Google and Facebook among other companies), where products and services are free at the point of use, supported by advertising and other processes that use the data collected.
Over the past few years there have also been a string of huge data breaches that have shown companies are hoovering up massive amounts of personal data, which has led to questions such as:
What processes do they have in place to keep the data secure?
Are they handling the data correctly?
Do they have permission to use the data in the ways they are using it?
Do they even need to hold the data in order to perform the function we asked them to perform?
GDPR will strengthen and unify data protection for individuals within the EU, and will force all organisations processing personal data about EU citizens to abide by the new regulation.
What is personal data?
Personal data is defined as any information relating to an identifiable person who can be directly or indirectly identified from it. This is basic information such as name and email address, photos, and IDs.
This includes any electronically gathered and/or stored information, as well as paper-based storage.
There are also ‘special categories’ of personal data that schools are likely to handle, such as ethnicity and health information, which have additional rules around how the data should be stored and handled.
Controllers and Processors
GDPR applies to both controllers and processors, so all parties involved can be liable.
As a controller you are required to determine the purposes and means of processing personal data, and you have legal obligations to ensure your contracts with data processors are GDPR compliant.
As a processor you are responsible for processing personal data on behalf of a controller, you are required to maintain records of personal data and processing activities.
You must have a good reason to collect and hold personal data, which needs to fall into one of the six lawful bases:
- The Data Subject has given explicit consent for the data to be collected and used for a particular purpose
- It is necessary to process the to fulfil a contract you have with the Data Subject
- It is necessary to process the data to comply with a legal obligation you have
- It is necessary to process the data to protect the vital interests of someone
- It is necessary to process the data to perform a task in the public interest
- It is necessary to process the data for the purposes of your legitimate interests
Each piece of personal data processed by the school must be attributed to one of these bases otherwise the processing is not lawful. Much of the personal data processed by a school (or other state funded educational establishment) will fall under the public task base. But you should always ensure that this is the case. For example, it’s lawful to collect student address and telephone number under public task but it is not lawful to then share that with other third parties for a ‘non-core’ task without gaining appropriate consent.
Reasons for processing data
The new regulations are designed to prevent organisations from collecting massive amounts of personal data, when they don’t necessarily need it for the purpose it was collected for, or that purpose has been served and there is no longer a need to keep it.
Part of preparing for the new regulations is going to be about auditing all the personal data you hold, and determining whether you actually need it. This process should also be documented, because we will all have personal data that we no longer need. Documenting what data there is, why you need it or how it has been discarded, is evidence that you have proper processes in place should a data breach occur.
This alone is not going to be a simple task, when you get down to stores of unstructured data, such as Word documents, spreadsheets, and email archives; determining whether they contain personal data, why it was created, and who’s data it contains, then deciding what to do with that data is not going to be an easy task.
What is a data breach?
The definition of a personal data breach is now more robust and clear than previous legislation; a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Whether accidental or deliberate, anything that causes personal data to be lost, destroyed, corrupted,disclosed or unavailable, for whatever reason (for example, if it becomes encrypted by malware), can be considered a breach, and the ICO must be notified within 72 hours of the breach being discovered.
If the breach is significant enough to adversely affect the rights or freedoms of data subject(s), they must also be notified.
All this adds up to mean that you must have a plan in place for how data is to be protected,, how your systems should be monitored for data breaches, and for what happens if a breach occurs. Staff will need training on how to handle data and record how it is used.
Rights of the Individual
GDPR is designed to give control over personal data back to the data subject, as and such it defines a number of individual rights over that data that organisations must adhere to, they are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Individuals whose data you will be processing now have the right to be informed about the collection of any of their personal data, the reason you are collecting it, how it will be processed, who it will be shared with, and how long it will be held for.
They also have the right to request to see that data, for that data to be available for use by other services that the individual requires, for any incorrect information to be corrected, or for data be deleted (depending on the basis for the data being processed). They can also restrict usage of the data, and for personal data processed on the basis of their consent, the individual has the right to withdraw consent at any time.
The basis for processing the personal data of a child is also more complex, as parental consent may also be required.
The current data protection act places a statutory requirement upon schools to comply and GDPR is an evolution of these requirements, with transparency and accountability on both the controller and processors’ part, and on control over that data for the data subject.
It is not going to be an easy task for any organisation to evaluate and consolidate the data they have, and put in place the training and processes needed to remain compliant in the future. But GDPR is not something that will ever be completed; it is an ethos and a set of processes that need weaving into every area of your organisation where personal data is handled, and as its implementation matures we will no doubt see organisations struggle with certain aspects.
The 25 May 2018, when the legislation comes into force, should not be viewed as a finishing line, but by developing a plan to get to a place of compliance, and getting the people in your organisation to start thinking about how data is handled and processed, you will be well on the road.
For more help with knowing your obligations and developing your plan, you can access our GDPR Guidance for Schools and Colleges:
This article was originally published by SWGfL