What does the new GDPR legislation mean for education?

The new regulations will come into force in less than a year, and education institutions are being urged to prepare

Elizabeth Denham, the UK’s Information Commissioner, has flagged the introduction of the General Data Protection Regulation (GDPR) as a significant future challenge for her office in the Information Commissioner’s Office (ICO) annual report. This announcement highlights the magnitude of the change programme but also highlights the need for education institutions to prepare for the impending rule changes now to help mitigate substantial financial and reputational risks arising from issues of non-compliance.

The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizens’ personal data, regardless of borders or where the data is processed.

The regulations, which come into force in less than a year’s time on 25 May 2018, will transform how education institutions need to store and manage personal data. A failure to comply with the new rules could see institutions facing significant penalties of up to €20m, or four per cent of annual global ‘turnover’.

The new rules include additional requirements in respect of consent, and institutions will need to ensure all those involved in handling personal data within the institution are appropriately trained. For education institutions personal data is wide ranging, from current staff and students to parents and former students. Any data from which individuals can be identified is considered ‘personal data’ so this covers paper-based and digital, written and photographic.

Although GDPR is a welcomed attempt to curb growing fears around how organisations use and manage personal information, the new framework will drastically affect the future of stored personal data and increase institution accountability.

Due to the amount of data, this could be an extensive two-fold process. The first step is to identify what data is currently being held, by whom and for what purpose; and the second stage is addressing the GDPR requirements for all held data.

An important factor is to ensure an institution’s data processes protect the rights of individuals. Therefore an organised data protection programme is needed, with all data activities accurately recorded. There is an increasing requirement to produce an inventory of personal data to facilitate wider data governance. Moreover, data governance obligation extends to any third-party contractors or partners working with a business, and will present institutions with much greater legal liability in the event of error. Education institutions also often share data with third parties, for example with examination boards, or in respect of sector data, such as SEND and NEETs.

Steve Snaith, technology risk assurance (TRA) partner at RSM, said: “In a growing digital economy, where data can be collected and stored within seconds, there is more risk of cyber security breaches, which was highlighted by the recent WannaCry ransomware attack. Therefore it’s increasingly more important to make sure clear processes and safeguards are put in place to protect both clients and institutions.

“Although GDPR is a welcomed attempt to curb growing fears around how organisations use and manage personal information, the new framework will drastically affect the future of stored personal data and increase institution accountability. Such a transformation is likely to disrupt internal data practices within organisations, and institutions must make sure they are ready for what lies ahead and not get caught out, as the financial and reputational risk could be significant.”