It’s out with the old and in with the new in May 2018 as the General Data Protection Regulation (GDPR) sweeps into effect to replace the Data Protection Act (DPA). As the world moves into an ever more digital direction, our personal data, how it is used and who has access to it has become a global concern for all of us.
The GDPR is the first legislative change in recent years that will address these concerns, with a broad aim to invoke a cultural shift in the way businesses and institutions manage personal data.
It has been hailed by the EU as an essential step to strengthening citizens’ fundamental rights in the digital age and allows individuals to object to certain processing and have their personal data corrected, deleted and its use restricted.
The UK government has stated that the GDPR will apply within the UK after Brexit and, in any case, it will continue to cover all processing of Europeans’ personal data. Institutions must be well advanced with their compliance preparations by 25 May 2018, or risk being on the wrong side of the law.
What implications will the GDPR have for colleges and universities?
As well as records of what personal data exist within the organisation, the GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised, and who may gain access to it.
This information lifecycle approach is also fundamental to international standards on quality and information security, so should contribute to institutions’ achieving those goals as well as to compliance with the GDPR.
Institutions are still required to apply appropriate organisational and technical measures to keep information secure and there are new duties to report security breaches to the Information Commissioner’ Office (ICO) and, in some cases, to the individuals affected. Planning what to do in case of an incident could well be done as part of developing information lifecycles.
The GDPR introduces new requirements on the way new information-handling processes and systems are developed.
For large-scale or risky processing, formal data protection impact assessments must be performed as part of the design process. Draft guidance from European regulators suggests that this “data protection by design” approach should be extended to existing systems within three years.
Where institutions rely on consent to process individuals’ personal data, they must be able to demonstrate that this consent was “freely given, specific, informed and unambiguous”. For example, the common practice in the services sector of making access to public Wi-Fi conditional on granting consent to receive marketing information will no longer be lawful, since the two are unrelated.
Designed to reduce the overuse of consent, this change may well require institutions to consider whether data collection and processing is in fact necessary under another legal basis – contract, legal obligation, vital interests, public interest, or legitimate interest of the organisation – and, if so, adjust processes to meet the relevant requirements.
Finally, breaches of data protection are already becoming more damaging to organisations. Recent failures of security and inappropriate practices by businesses and charities have been widely publicised and criticised, damaging the reputations of the affected organisations and raising questions for their entire sector.
Fines for breaches are likely to increase, as the GDPR raises the upper limit from the UK’s current £500,000 to as much as €20m.
What must colleges and universities be doing now to ensure they are ready for May 2018?
Several of the required changes – notably the information lifecycle audit and the adoption of data protection by design – are likely to be time-consuming. Institutions should have already started work on those but, failing that, the sooner work starts on planning, the better. Raise awareness throughout the institution and ensure key people and decision makers are aware of the law change.
The larger the institution, the more resource implications there are likely to be when implementing the GDPR, so it is important to use the rest of the lead-in period effectively. Read our advice on the steps to take.
Be in the know
Know what information you hold, what you use it for, where it came from and who you share it with. Consider what you would do if a security breach occurred.
This will bring your institution in line with the GDPR’s accountability principle which requires you to be able to prove how you comply with its data protection values. Conducting an information lifecycle audit might be a good idea. Read our advice on information lifecycles.
Assign a data protection officer (DPO)
Having someone take responsibility for compliance with the GDPR will make things a lot easier, and may even be a legal requirement. With the relevant knowledge and authority, a DPO can provide support to others and oversee a smooth transition.
The Article 29 Working Party of Data Protection Regulators has published draft guidance on DPOs.
Review your privacy notices
Under the GDPR there are some additional details people must be told when obtaining their personal data: the legal basis for processing the data, the retention period and the individual’s right to complain to the ICO if they think there is an issue with the way their personal info is handled. This is usually by way of a privacy notice, so review the notice and put a plan in place to make any necessary changes.
The ICO sets out the minimum information a privacy notice should contain.
Ensure an individual’s rights can be upheld
Under the GDPR, individuals’ rights have been enhanced. These include rights to:
- Subject access
- Have inaccuracies corrected
- Have information erased
- Prevent direct marketing
- Prevent automated decision-making and profiling
- Data portability
Effective implementation of these rights should also improve the quality of the institution’s data and processes. Institutions would be wise to give the above scenarios a dress rehearsal on systems before the GDPR takes effect. The ICO website has more information on these rights.
Review how consent is given
The way institutions seek, obtain and record consent to process personal data is likely to come under scrutiny under the GDPR, so a review of current practices is essential. Consent must be freely given, specific, informed and be a positive indication of agreement – not inferred from silence or inactivity.
An alteration in mechanisms that record consent to data processing may be necessary in order to make proving consent easier. Read our analysis of the ICO’s draft guidance on consent.
Data breach drills
The GDPR will introduce a blanket policy for all organisations, obliging them to inform the ICO within 72 hours of suffering a personal data breach, whenever this creates a risk to the affected individuals. For serious risks, such as an identity theft or financial loss, organisations may also need to inform individuals directly.
Institutions must ensure they have the right procedures in place to detect, investigate and respond to a personal data breach when one occurs. Start by identifying the types of data held and note the ones that, if jeopardised, would necessitate contacting the ICO. The UK Commissioner has already fined organisations, under existing laws, for poor handling of data breaches. These fines seem likely to increase considerably under the GDPR.
While the upheaval and reorganisation required to come in line with the new regulation will be a burden for institutions throughout the EU, the reasons behind it and its results will be beneficial to all. With enough preparation, resources, knowledge and initiative, institutions should have few problems come May 2018.
Andrew Cormack, Chief regulatory adviser, Jisc technologies, Jisc
About Andrew Cormack: My current role is to keep Jisc technologies and customers of the Janet network informed about the legal, policy and security issues around networks and networked services.
Computer networks are a long way from the lawless "wild west" that some fear. Not only do all real-world laws apply to on-line activities, there are many laws specific to networks as well.
My job is to keep track of those, and ensure that the Janet network's policies and services conform to them.
I've also contributed to the development of a number of laws - including on defamation, copyright and criminal content - to help make them more effective in protecting networks and their users.