Expected to impact industries across Europe, the General Data Protection Regulation (GDPR) is a worrying prospect for some sectors.
However, although it’s one of the most dominant sectors in the world — education is sometimes left unaddressed. To find out more, we’ve teamed up with 2020 Vision, experts in cloud CCTV security.
GDPR: what is it?
Understanding what GDPR is, is essential to come to terms with the impact it will have on the education sector. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018. Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.
Education institutions: what you need to know
Storing information is inevitable for schools in the UK, withholding personal data on students who are presently enrolled and students who have already left. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.
Complying currently with the DPA, schools have a ‘duty of care’ and are responsible for safeguarding data to prevent any breaches. Although this will still apply once GDPR has arrived, educational practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.
Education establishments that do not comply with GDPR and do not make the appropriate changes to their current strategies will be privy to humongous fines. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.
Data Controller Meaning:
- The data controller is the education establishment and it determines how personal data is processed.
Data Processor Meaning:
- The data processor, regarding the education sector, processes data on behalf of the data controller. It isn’t part of the school or education establishment itself.
If schools do not use a data processor that doesn’t have the capabilities for IT asset disposal, they will be breaking the law. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.
Currently under the DPA, it’s not compulsory that education centres have a contract of agreement with data processors. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.
What to do if you’re an education centre
As schools are obliged to comply with the DPA, you’re one step closer to making changes for GDPR. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.
There are many methods that these practices can take to ensure GDPR-compliance. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.
Completing an information audit is essential – this will help you become clear about who you should share your data with. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.
Although students come and go, after they have left you will need to soon remove their data from your systems. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.
As data breaches can occur, you need to have the right procedures in place to ensure that the situation is dealt with accordingly. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.
GDPR will be here on the 25th of May 2018 — will your education establishment be prepared?