Many schools and colleges are finally starting to draw breath after a hectic year preparing for the arrival of GDPR.
Large businesses and multinationals have been able to divert significant resources towards ensuring data protection compliance. However, this is not the case for most educational institutions, particularly at primary and secondary level, who are trying to cope within existing budgetary and staffing allocations.
A recent survey of privacy professionals showed that 96% of organisations had begun their compliance journey, with 74% expecting to be fully GDPR compliant by the end of the year.
While this is encouraging, it is important not to lose sight of another key piece of European legislation in the pipeline. The ePrivacy Regulation, now likely to be introduced at some point in 2019, will have wide-ranging impact on the area of electronic communications.
The Regulation will replace the existing 2002 Directive, also known as the ‘cookie law’ and is part of the EU’s strategy for a digital single market. While the GDPR applies to all categories of personal data, the ePrivacy Regulation will apply specifically to electronic communications and seeks to harmonise rules in this area.
The Principle of Confidentiality
At its core, the Regulation seeks to ensure providers of communication services handle data so that data subjects’ privacy and rights are always protected, adhering to the principle of confidentiality.
This principle states that “information exchanged between parties and the external elements of such communication… is not to be revealed to anyone other than to the parties involved in a communication.”
Educational institutions should be mindful of a number of key aspects of the proposed legislation.
Streamlining Cookie Rules
Education websites will be required to meet streamlined rules regarding cookies. We are all familiar with the consent pop-ups that greet us upon arrival to a new website or when we return to a site after having cleared our existing cache. Adopting GDPR’s principle of privacy by design, it will require web browsers to give users a range of cookie options and tracking controls.
Online and offline direct marketing are still key components of most university and school student recruitment strategies. Under the proposed legislation, unsolicited electronic direct marketing by any means will be prohibited where consent has not been given.
An opt-in will be required in all types of electronic marketing save where email details have been obtained in the context of a sale or service.
Education marketing teams should note that while postal direct marketing falls outside of the Regulation, it is covered within the scope of GDPR.
Similarly, any institutions reliant on phone marketing will be required to display their phone number or use a special prefix number that indicates it is a marketing call.
Legal Persons are also covered
In addition to individuals, businesses as legal entities are now covered by the definition of ‘end user’. This is a significant change. One of the Regulation’s objectives is ‘to ensure an equivalent level of protection of natural and legal persons’.
This will pose difficulties for many firms as the principles outlined under GDPR were designed with an individual’s personal data in mind. This lack of clarity is likely to prove problematic as firms implement compliance programmes.
Content and Metadata
Privacy will be guaranteed for metadata as well as for the core content of the communication (i.e. text, voice, image and sound-based content). Examples of metadata include the location, time or date of a communication or the type of device used.
This metadata must be anonymised or deleted unless the user has given their consent for it to be retained or it is required for delivery of the service, such as billing.
Fines will be set at the same eye-watering levels as under GDPR, with a maximum fine of 4% of global turnover or Ä20 million, whichever is the greater.
The Data Protection Commission will oversee monitoring and enforcement in Ireland.
As with GDPR, compensation will be available for those who have suffered material or non-material damages.
What actions can your institution take at this point?
If you are already GDPR compliant or are on your way towards compliance, it places your institution in good shape for the arrival of ePrivacy. However, as we have seen, the new Regulation poses a number of additional challenges.
Start by assessing your school or college’s current cookie policies. Get legal and technical advice on the likely requirements under the new Regulation.
Talk to your web agency about early adoption of best practice in terms of the flexibility and the range of options you will need to offer visitors to your site.
Ask yourself, are you clear on the timelines that will be required for any development work and implementation should the new Regulation go live earlier than currently envisaged?
Ensure your marketing and student recruitment teams review existing direct marketing activity, particularly e-direct marketing communications.
Examine how you currently process and retain electronic communications data. In particular, examine how metadata is used and retained within the organisation. Is it core to the service you are providing and will consent have to be sought from students or applicants in future?
Undertake an audit of what data belonging to legal persons is processed. Would this meet compliance requirements under the new Regulation?
Consider what level of training will be needed across the organisation. Could this be built into existing GDPR training programmes?
The next step is to then develop a risk matrix and identify actions, owners and timelines.
While much clarity is still required around the new Regulation, taking early steps alongside GDPR compliance measures will ensure your institution is prepared to meet the challenges and opportunities that the new regime will present.