The General Data Protection Regulation (GDPR) will come into force in the UK from 25 May 2018 and will apply to all 'controllers' and 'processors' of 'personal data'. The education sector holds vast amounts of personal data relating to its employees, students and pupils who are processed into the system, amongst others who are contracted through the schools. It is advisable to become familiar with these provisions at an early stage.
The GDPR's underlying principle is to elevate the significance of transparency between the individuals and the data controllers/processors. The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. The GDPR provides the following rights for individuals:
- The right to be informed - transparency over how personal data is to be used.
- The right of access - If an access to personal data request is made, this must be provided free of charge. There are exceptions where a 'reasonable fee' can be charged i.e. where the request is excessive or repetitive.
- The right to rectification - there is a right to have personal data rectified where it is inaccurate or incomplete. You must also inform third parties to whom personal data has been provided of the rectification where possible.
- The right to erasure - otherwise known as the "right to be forgotten" which allows an individual to request the deletion and removal of personal data where there is no compelling reason for its continued processing.
- The right to restrict processing - the restriction/block/suppression of processing personal data is similar to the rules under the DPA.
- The right to data portability - allowing an individual to obtain and reuse their personal data for their own purposes across different services.
- The right to object - an individual may object to processing of personal data on "grounds relating to his or her particular situation."
- Rights in relation to automated decision making and profiling - safeguards individuals against the risk that a potentially damaging decision is taken without human intervention.
- Explicit consent -explicit consent must be sought from the individual, where necessary, and they must understand that they have the right to withdraw this consent at any time.
- Reporting requirement - the GDPR requires that any breach is reported within 72 hours of becoming aware of it to the supervising authority. Failing to notify within this time frame could result in a fine of up to 10 million euros or 2% of your global turnover.
Ultimately HR policies and procedures, existing contracts and privacy notices will need to undergo a thorough review in relation to data protection to ensure that personal data is being processed within the boundaries of the GDPR within any educational institution.
Overall, employers should be thinking about:
- Keeping a clear record of data processing activities, including consideration of whether it is necessary to obtain consent in certain circumstances and if so, how and when consent was obtained;
- Procedures to ensure compliance with the strict 72 hour reporting requirement so as to avoid any hefty fines; and
- Consider what training employees will require to ensure that they are aware of the GDPR and how to comply with the rules to ensure that the risk of breach is reduced, to mitigate consequences if there is a breach and to ensure employees are trained properly to perform their role.
If you are looking for any more information with regards to our services view our Education section. You can also contact Ruth Rule-Mullen in our Education department via email or phone on 01772 220195. Alternatively send any question through to Forbes Solicitors via our online Contact Form.