This article has been compiled as an information and signposting feature and does not constitute legal advice. Individuals, schools, colleges and other organisations are encouraged to seek legal advice along with seeking information from the Information Commissioners Office in the UK or consult the EU policy documentation regarding GDPR.
New rights and responsibilities regarding personal data are set to be released in Europe on 25th May 2018 under the new General Data Protection Regulation (GDPR). For individuals, new rights are given by knowing what information organisations hold about you, and what they can do with it. Organisations have new obligations, including ensuring permission has been given to hold such data and responsibilities about the way the data is held. The changes affect everyone, including schools, educational companies, and individuals.
A lot of the GDPR regulation is not new with a lot currently covered in the UK by a data protection regime, but compliance with the regime is to be strengthened. GDPR re-addresses the balance for the protection of individual rights and organisations can better understand how they can comply.
What is GDPR?
The new GDPR regulations strengthen the current principles that are already evident in data protection laws. GDPR particularly strengthens rights in the area of transparency with clearer obligations on organisations to provide clear, accessible and plainly defined information to individuals when they are using personal data. This is meant to develop the step change away from ‘difficult to read’ privacy notices and terms & conditions which explain to individuals how their data is going to be used. GDPR is increasing and enhancing obligations around transparency, strengthening the rights of the individual in terms of the rights of the data held which can be erased in certain circumstances. GDPR is designed to give individuals control over their data. Finally, GDPR places obligations on organisations to be accountable for their use of data – to get organisations to take responsibility to assess the risks. This includes schools and educational establishments. Basically, no matter how big an organisation, if you hold data about individuals, then GDPR is relevant to you.
So what do companies and schools have to do with GDPR
In practical terms, schools and organisations should now be conducting a data mapping exercise – having a look across the business and think how they use personal data and what they are using it for, how long the data is being kept, what is done with the data, where the data is sent, and if a customer database is held with old information, to ask why they are keeping it and clean up the data. For schools with complex Management Information Systems, virtual platforms etc., Iain Bradley from the DfE explains how you can review and improve your handling of personal data in an informative video on the ICO website (click here to view). Fundamentally, organisations need to consider the data being held, why it is being held, how securely the data is stored, and the processes in place should a breach in security occur.
Why is GDPR needed?
GDPR needs to be considered in terms of the modern digital age, and the different number of digital relationships individuals hold with a variety of organisations. Each person could have 50-100 different relationships, and that data can be used to make decisions about us, being made to work in different situations to work and impact on daily lives. An intrusion into the privacy, or a use of that data being used in a way that we don’t expect, can have an impact on individuals.
What is personal data?
On the face of it, personal data sounds simple, but when we delve further down into the information held, it can all suddenly become a lot more complex. Most businesses may not think that they collect data – they may not have a database, keep information on a spreadsheet, and so on. But most certainly do. The term ‘information’ may be more relevant here, but the information held by a company about individual customers is data. Personal data is information on its own or combined with other information which can be linked to a living individual.
Subject Access Requests
A Subject Access Request (SAR) is a request by an individual asking about the information held on them. Currently, in the UK, businesses can charge £10 before responding to similar requests within a 40 day period. Under GDPR, no charge (payment) should be applied, and the response period is up to 1 month after the request is received. For businesses, a couple of considerations need to be thought through: Firstly, train all staff so that they know how to recognise when a SAR is made from individuals with respect to their data – the response needs to be done quickly, and requests may not be as obvious as stating the legislation, but may simply be a request asking about what data is held about them; Secondly, businesses need to think about what data they are holding on individuals beyond names and addresses, and could include data on opinions or preferences which may be data that the business may not want to hold about an individual.
The impact GDPR makes has a potentially large impact on an organisation that sends out newsletters, e-bulletins, e-mails etc to individuals. Organisations who send out such information need to show (evidence) that individuals on your list have definitely consented to be on such a list. There is a subset of rules related to individuals who are already customers, but if you are considering potential customers, then implied consent no longer applies. A lot of organisations may need to inform individuals that they need to opt-in to future e-mails. However, a soft opt-in is where organisations have an existing relationship with an individual (for when a customer has purchased a product from you), enables organisations to send direct marketing to individuals where they have a prior relationship with them. In that situation, the individual can opt-out, rather than the need to opt-in, but companies need to clearly provide that information to them when communicating.
Schools, colleges, educational establishments and educational companies
Education establishments are not exempt from GDPR, and many schools and colleges will be already ensuring they are compliant. In the UK, the ICO has collected a range of resources and guidance on their website covering the steps schools, colleges and universities should be taking in order to be compliant. The information is easily and freely accessible by clicking here, and all staff members should be made aware of the responsibilities GDPR places. For businesses, the ICO has also compiled a 12-point action plan that should be followed to ensure organisations are compliant ready. Click here to view.
There has been a lot of scare-mongering, myth creation, and profit made in the process of ensuring organisations are prepared and ready for GDPR. Essentially, the new legislation re-balances the power in terms of data being held by organisations, promoting transparency and control for individuals. If you hold personal data for individuals, then it is right that you hold that data responsibly, and be transparent with individuals about why the data is being held whilst ensuring the data is held securely.