From education to employment

Is the FE sector ready for GDPR?

David Morris, technology assurance director at RSM
The imminent introduction of the EU’s General Data Protection Regulation (GDPR) represents a real challenge to educational establishments at all levels across the country given the wide range of sensitive data that is processed by them as there are no current exemptions that are specific to education.
The aim of the new regime is to give EU citizens more control over their data in all locations – including the cloud – and incorporate recent human rights legislation into a more consistent framework across Europe. It comes into force as national law in May 2018 and replaces the current Data Protection Act. Brexit does not remove the compliance requirement.
Whilst the principles that will be introduced through GDPR are quite clear, how they will work on the ground in all sectors still needs to be determined. There are several things that are already apparent though:
  • the impact of getting compliance wrong in the future will potentially be much more serious as sanctions have been increased;
  • the requirements will have affected this autumn’s enrolment in that pupils and students who have just joined the roster come into scope in May 2018. As such, the way that they have been processed – and how consent was gained – will have an impact further down the line;
  • for the further education sector, a particular concern will be the new requirement to provide specific protection to all data relating to children and vulnerable adults. This may require that additional controls be put in place; 
  • the role of the Data Protection Officer will assume a new importance and this may mean that the current incumbent may not be suitable for the role. Independence will be key so schools and colleges may therefore have to re-allocate the post to someone in a different position or even hire someone new with the skills necessary to carry out the role; and
  • this is not an IT issue. Whilst data in systems will clearly need to be protected, the organisation as a whole will need to be involved as new governance structures and controls processes will be required.
However, there is good news. May 2018 does not have to be an absolute end point for full compliance. The Information Commissioner’s Office (ICO) have intimated that they understand that progress may be slower for some sectors and that they expect organisations to demonstrate good progress rather than absolute compliance on the due date.

This is not a get out of jail card – FE organisations still need to start their compliance processes as soon as possible if they have not already done so.

The other thing that helps the sector is that the need for good data governance is not new. Schools and colleges have always had to have good governance frameworks in place given current legislation such as the Data Protection Act and Safeguarding. Staff can build on these when driving for GDPR compliance – they do not have to be thrown away or discarded. Existing processes, such as consent and breach reporting, will be supplemented by new rules and requirements. For example, the rules around consent will need to be strengthened as specific opt-in consent will be required in the future. Consent by implication or pre-populated tick boxes on websites will no longer be allowed.
There are aspects of GDPR that bring in entirely new principles that look to address the growth of data in the cloud and social networks. For example, the ‘right to be forgotten’ will be enshrined in the new rules. This means that schools and colleges must introduce processes that have not been required before. Key to this will be knowledge of what is termed ‘the data footprint’. If alumni request that data held on them be erased, the organisation will only be able to do this if they know what they hold on them, where it is and what form it is in. They can also refuse the request under some circumstances, for example for funding purposes.
So, what should you do in the short term? 
  • The ICO have outlined a very useful 12-step approach to preparing for compliance that should be obtained and reviewed.
  • Care should be taken to bring in data protection by design i.e. don’t introduce any new systems or processes that don’t comply with the planned regulations.
  • A data governance group should be set up to consider the implications of GDPR and drive compliance activity.rsm logo

There are still many unknowns – for example the need for retrospective consent, interaction with existing legislation or the extent of any external audits regime – but schools and colleges can start building their revised compliance frameworks now and indeed, they need to do so without delay.

David Morris, technology assurance director at RSM 

Related Articles