A topic heavily discussed across European media is the introduction of the General Data Protection Regulation, otherwise known as GDPR — and this will undoubtedly have an impact on businesses across all sectors. However, although it’s one of the most dominant sectors in the world, education is sometimes left unaddressed.
If you plan on making changes to comply with GDPR as an educational institute, you need to understand what it is as a whole. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018.
Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.
What you must know about GDPR
Education establishments will already store information in compliance with the DPA, as they will hold information on students from the past and of the present — as well as employees.
More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.
Information that is collected over the years by education establishments must ensure that the data they obtain is protected in secure locations without the threat of any data breaches.
Although this will still apply once GDPR has arrived, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.
Large fines could be issued if schools do not comply with the GDPR legislation — harsher than the consequences that are laid out by the DPA. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.
What is a Data Processor? The data processor is almost like a third party, in that they process data on behalf of the controller.
What is a Data Controller? In terms of education, the data controller is the institution itself and they decide how data is used.
Under GDPR, it will be a criminal offence to not use a data processor that has minimum capabilities for IT asset disposal — this will ensure that data is handed correctly. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.
Under the DPA, it’s not compulsory for education centres to have a contract of agreement for their Data Processor in place. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.
Making the right move as an education centre
As your organisation already operates under DPA, you shouldn’t be too worried about making the appropriate changes for GDPR. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.
There are a few steps that those in the education sector can take to ensure their compliance with GDPR. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.
As education centres hold a lot of information and personal data, you need to look at who you’re sharing it with and organise an information audit that can help you achieve this. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.
You will eventually need to remove student data from your system once they have left the school. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.
In order to dilute a data breach, you must have the right procedures in place to deal with any occurrence. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.
With GDPR just around the corner, 2020 Vision, specialists in access control systems, say that it’s crucial for education practices to review their current approaches and prepare for new ones that comply.
Peter Houlis is the Managing Director of 2020 Vision