GDPR’s first anniversary – an overview a year on and implications for schools
In this article, Paul Hancock, Commercial Manager at SWGfL – a partner in the UK Safer Internet Centre – reviews GDPR in its first year and looks at what schools should consider next.
The General Data Protection Regulation (GDPR) came to life on 25 May 2018, two days after the Data Protection Act 2018 (which complements the GDPR) received royal assent.
The ICO has just released its summary of the last year. So what’s been happening in the data protection area since the GDPR and the Data Protection Act 2018 (DPA) came into force? Two of the main areas to look at are the reporting of data breaches, and fines imposed by Supervisory Authorities like the Information Commissioner’s Office (ICO).
Data Breach Reports
Between 1 April 2017 and 31 March 2018, the ICO reported a year-to-year increase in data protection concerns received of 14% (to 21,019) and an increase in self-reported data breaches of 29% (to 3,156).
However, Stephen Eckersley (ICO Head of Enforcement) has stated that the ICO then received over 650 data breach reports in May 2018, and over 1,700 in June 2018, showing a “massive increase” as the GDPR landed. The ICO’s “GDPR: One year on” report confirms that they received around 14,000 data breach reports between 25 May 2018 and 1 May 2019.
As you’d expect, it’s not just the UK either. According to a survey by DLA Piper in February 2019, the eight months for which the GDPR had been in force saw over 59,000 data breaches reported to the 31 Supervisory Authorities across the EU member states and the three EEA countries.
So the GDPR has certainly been successful in changing breach notification practices (by making such notification mandatory).
In the year to 31 March 2018, the ICO issued eleven fines under the Data Protection Act 1998 totalling just over £1.2 million in relation to serious security issues, and a further eleven fines totalling approx. £138,000 to charities for unlawful processing of data.
Prior to 25 May 2018, the highest fine imposed by the ICO was £400,000 to Carphone Warehouse. Though both Facebook and Equifax have been fined more (£500,000 in each case) since, the former in relation to the Cambridge Analytica scandal and the latter for a major security issue, both were based on matters that occurred before 25 May 2018, and so were processed under the Data Protection Act 1998 (where £500,000 was the maximum fine) rather than the GDPR.
However, Google was fined a record 50 million euros (approx. £44 million) by CNIL (the French Supervisory Authority, as the ICO is for the UK) under the GDPR for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Given that Google reported revenues of more than $136 billion, that’s just over 0.04% of turnover, with the GDPR providing for up to 4% (which would have been a maximum of $5.4 billion in this case). Whilst a huge fine in comparison to those issued under the previous legislation, it could have been worse for Google.
This report from the European Data Protection Board states that administrative fines had (between May 2018 and February 2019) already been imposed totalling nearly 56 million euros. This may seem like a lot, but nearly 90% is the single fine imposed on Google.
So far then, it could be argued that the GDPR has been more successful in levering improvements in breach notification than in financially penalising companies that fail to adequately secure personal data.
Since 25 May 2018, the ICO has undertaken 37 pieces of work focussed on education and childcare (29 advisory visits, seven audits and one report). Half of the audits found “considerable scope for improvement” in governance and accountability, and in data sharing: if these are typical of the situation in schools, then there is work to be done.
However, clear positives were also noted: the establishment of a group to oversee process development, staff data protection awareness training, and progress towards compliance with the GDPR were praised in three of the audit reports.
In the year to 31 March 2018, the ICO received 11% of the 3,156 self-reported data breaches from the education sector (second only to the health sector, and nearly double the 6% in the previous year).
Are schools experiencing more data breaches, or are they more aware – since the GDPR and DPA came into force – of their obligations now?
The answer is likely to be ‘a bit of both’.
In their ‘cyber risk and education’ paper, insurance company Ecclesiastical found that one in five British schools and colleges had been a victim of cyber-attacks, with 71% having received some form of malware and 50% having experienced phishing attacks.
Information security (and cyber security) is becoming more important in every sector, and schools are no exception. But ongoing budget constraints, requirement for specialist skills and expertise, and the pace of change – both in terms of the threat landscape and the controls (technical, administrative and physical) to manage those threats – mean many schools struggle to achieve the levels of security they want (and need).
What Next: the GDPR in general
Mathias Moulin, from CNIL in France, stated that up to now “should be considered a transition year” for the GDPR. This suggests we’ve seen Supervisory Authorities provide organisations with latitude to settle their processes, as well as work out how they’ll will apply various elements of the GDPR in their own locality, and closing investigations commenced under the previous legislation.
But the emphasis will now change. Whilst those fines haven’t been – in most cases – as significant as you might have expected, there is going to be an increase in enforcement activity (including fines, but also other tools and measures that Supervisory Authorities like the ICO have available to them).
As the Information Commissioner, Elizabeth Denham, stated at the Data Protection Practitioners’ Conference on 8 April 2019, “this next phase of GDPR requires a refocus on comprehensive data protection”.
This isn’t a box-ticking exercise. Comprehensive data protection requires thorough, embedded processes. You need to know:
- what personal data you have (or will have);
- why you have it;
- where you have it;
- what you’re doing with it;
- how and when you got it;
- that it’s what you need (and not more than you need);
- that it’s accurate;
- for certain purposes, when the data subject said it was OK for you to have it;
- how you’ll return (or destroy, or stop using) it, if the data subject asks you to;
- how you’re securing it;
- when (and how) you’ll dispose of it; and
- how you’re telling data subjects this,
and you’ll need to keep clear records of this.
You’ll need to:
- think carefully about your systems (both technological and paper-based), and what data protection provisions are necessary;
- put in place effective risk assessment and analysis processes, particularly for more sensitive data;
- be providing effective training to staff, not just once or twice, but as part of a ‘comprehensive’ program;
- have the right people involved, performing the right roles; and
- work with your suppliers, too. Where other organisations are processing personal data for you, the agreements between you need to state how they’ll do that.
The ICO enforcement toolkit is not limited to issuing administrative fines; the ICO can also order the suspension of processing. That could mean that use of the school MIS, electronic attendance, email system, and even CCTV would be prohibited.
That wouldn’t happen? It has. The Dutch Supervisory Authority (Autoriteit Persoonsgegevens) prohibited processing by the tax authority in relation to use of the Dutch national identity number (BSN), and in Malta the Information and Data Protection Commissioner (IDPC) temporarily suspended use of the Land Authority portal due to a data breach.
What Next: the GDPR and Brexit
The GDPR is designed to be generally consistent across all EU member states. Being a regulation (rather than a directive), it is applicable and effective on its own (without separate legislation in each member state).
As the GDPR is applied in the UK by virtue of being part of the EU, when the UK leaves the EU, the GDPR will no longer apply as law in the UK. The Government intends to absorb the GDPR into UK law, so whilst it’s unlikely there’ll be considerable change to the data protection rules we’ve become familiar with, things like transfers of personal data will need attention (including, for example, where a cloud ICT service based in the EU is used).
In order to process personal data in compliance with the GDPR, countries and organisations outside the EU need to demonstrate that they offer an adequate level of data protection, and where they do, they receive an ‘adequacy decision’ (which may only apply in certain circumstances, as is the case with the EU-U.S. Privacy Shield scheme).
The key variable for the UK is whether Brexit takes place with a “deal” or with “no deal”. A “deal” Brexit means the UK and EU will have successfully agreed a withdrawal agreement (under ‘Article 50’), while “no deal” means they failed to do this.
The withdrawal agreement will set out a transition period, during which the UK can essentially continue to operate as part of the EU (so data protection in the UK would function without change). Personal data can continue to flow freely from the EU to the UK, and from the UK to the EU.
At the end of the transition period, the UK will be outside the EU, and will require an adequacy decision for personal data to continue to flow to and from the EU.
A “no deal” Brexit means that there is no transition period, and the UK would be outside the EU (and therefore require an adequacy decision in order for this flow of personal data to continue) straight away.
What Next: the ePrivacy Regulation
Like the previous Data Protection Act 1998, which was the UK law corresponding to the EU Data Protection Directive, the Privacy and Electronic Communications Regulations 2003 is a UK law corresponding to the EU Privacy and Electronic Communications Directive (2002/58/EC).
The GDPR and DPA apply to the processing of personal data. The ePR is intended to complement the GDPR by setting out specific rules in these areas, and around the use of direct marketing by electronic means (including email and telephone) where consent has not been given (in which case such marketing is prohibited).
What does the ePrivacy Regulation mean for schools? It is likely to be less impactful for the education sector than for others, since the extent to which schools perform electronic marketing won’t go as far or as wide as for many private companies. Cookies on school websites, of course, will be covered by ePR.
Help for Schools
A lot of schools, Multi Academy Trusts (MATs) and colleges will have made good progress, but there are many that need help with the GDPR, and with data protection and information security generally.
We’ve broken the GDPR down into bite-sized chunks, starting with key, high level units, and moving on to more specific areas which we’ll be adding to assemble a complete GDPR reference pack.
If you’re unsure about how well your schools’ policies, processes and practices meet the requirements, SWGfL can undertake a review and audit of your data protection, information security, or both.
A review and/or audit is a cost effective way of assessing and analysing the organisation-wide position, and helps to:
- better understand risks;
- identify strengths and areas for development;
- build a prioritised action plan; and
- set a baseline to measure and evidence improvement.