By Steven Roberts
Schools and colleges across Europe are by now well aware of the General Data Protection Regulation (GDPR) and its imminent arrival on 25th May. The legislation has received significant media coverage over the past twelve months.
It poses a challenge for the sector. Education providers store large volumes of personal data – on students, parents, graduates, staff and former employees. In some instances, this can include sensitive data as defined under GDPR, such as information on a person’s ethnicity and religion.
It is all too easy in our day-to-day working lives to put off implementing the changes required to comply with the new law. A recent study by McCann Fitzgerald and Mazars found that three quarters of Irish businesses are unprepared for the introduction of GDPR.
To simplify the process, I outline some of the core principles to be aware of and list some steps you can take to ensure you and your team are compliant.
Understand the seven core principles for processing personal data.
There are seven fundamental principles that apply when processing personal data. This is the place to start your compliance journey as it forms the core of GDPR.
1. Lawful, fair and transparent. Institutions are required to process data in a lawful, fair and transparent manner. When collecting personal data, you must advise what processing will be done, and in clear and straightforward language.
2. Purpose limitation. Personal data should only be obtained and used for specific, explicit and legitimate purposes.
3. Data minimisation. Think clearly about the data you actually need. Make sure it is relevant and necessary only for the purposes for which it is being processed.
4. Accuracy. Your school or college must put policies in place to ensure any data held is both accurate and up-to-date.
5. Storage limitation. Do not keep data for longer than necessary. If you do not have clear retention policies, now is the time to put these in place.
6. Integrity and confidentiality. Make sure your data is confidential and secure. For example, put in place clear user rights and controls on who can access what data.
7. Accountability. Your institution is responsible for compliance with GDPR and must be able to demonstrate this.
Know the legal basis for processing personal data.
There are six legitimate bases for processing someone’s personal data.
1. Consent – this must be freely given, specific, unambiguous and informed.
2. You can process data if the processing is required to enter into or perform a contract.
3. Legal obligation – if an obligation exists under EU or member state law.
4. If it is in the vital interests of the data subject.
5. If it is in the public interest.
6. If it is in the legitimate interests of the controller or processor, but this must be balanced against the rights of the data subject.
Know your data
The next step is to gain a thorough understanding of your current data. This is achieved through a data audit, which looks at aspects such as:
– What data does your school or college currently store?
– Why did you obtain it?
– What purpose was it obtained for?
– What security and retention policies are in place?
– Is there a policy and procedure in place to respond to data access requests?
– Are contracts in place with third party suppliers who process your data?
Depending on the size of your organisation, it may require hours, days or a number of months to establish a detailed inventory of all the data you are currently storing and utilising. A useful part of this process is to put together a diagram or visual representation of the data.
Train your team
It is too easy to presume that knowledge of data protection is someone else’s job, be it the data protection officer (DPO) or legal counsel. You and your team must ensure you have adequate training on GDPR and best practice.
Anyone who interacts with personal data should have at least a grounding in the basics of GDPR, particularly the legal bases for processing. There are plenty of courses and seminars available, which will enable you to quickly upskill.
Start re-permissioning
Many of us will have databases of contacts stretching back years. GDPR requires your institution can provide tangible proof they provided consent to have their data processed.
Businesses are now undertaking re-permissioning of their databases for this purpose and developing centralised systems where this proof of consent can be quickly and easily accessed. It is also a useful time to review or develop clear retention policies. The era of keeping data on file ‘just in case’ has clearly passed.
Prepare for data access requests
GDPR removes the previous cost of Ä6.35 to make a data access request, while the response time is shortened to 30 days. If a parent or student submits a request for their data, how will your school or college manage this?
Work with your in-house or external advisors to put in place a procedure. Who will follow up on the request once it is received? Have you a clear understanding of where the data is held? Are there multiple owners that need to input? Putting in the effort in advance will save you time, hassle and stress in the long run.
The European Court of Justice (ECJ) recently ruled that exam transcripts constitute personal data. A student can now potentially access not only their written answers in the exam, but also the examiner’s comments relating to those answers. It is worth considering how your institution will respond in such a scenario.
Be aware of specific rules to protect children’s personal data
The GDPR contains specific rules to protect children’s personal data. This is of particular importance to the education sector.
The recently published Data Protection Bill 2018 sets the age of digital consent at 13 years. In the case of children below this age, the parental authority or guardian must provide consent.
There are also additional requirements on the language used when seeking consent.
Put processor agreements in place
Many of us use third party suppliers to process data. This could be a CRM provider or a web agency that manages your college’s website. Under GDPR you are obliged to put in place formal contracts with these providers. This can take time, so if you haven’t begun already, look to start as soon as possible.
Undertake Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) will be mandatory for any new activities that involve the systematic processing of large amounts of personal data. For example, a new HR system or international transfers of data. A DPIA must be undertaken prior to any processing activity taking place. Take the time to build this into the timelines and procurement practices for upcoming projects you may be working on that fit this category.
Don’t Panic
The GDPR will be upon us in less than three months.
The good news is you still have time to commence your journey towards compliance.
Use the compound effect. Take clear steps each day. By getting to know the legislation and core principles, you and your institution will be well placed to prosper under the new data regime.
