The General Data Protection Regulation (GDPR) will come into force in the UK from 25 May 2018 and will apply to all 'controllers' and 'processors' of 'personal data'. The education sector holds vast amounts of personal data relating to its employees, students and pupils who are processed into the system, amongst others who are contracted through the schools. It is advisable to become familiar with these provisions at an early stage.
The key provisions being introduced by the GDPR include:
- Significant increase in the enforcement powers of the Information Commissioner's Office (fines will rise from a maximum of £500,000 to €20 million or 4% of annual global turnover, whichever is higher);
- All public authorities must appoint a Data Protection Officer;
- Changes have been made to the 'subject access request' procedure - you can no longer charge for such requests in most circumstances and the time to respond to requests has been reduced;
- Changes are made to the definition of consent meaning it will be harder to obtain and easier to withdraw;
- High risk processing with require a Privacy Impact Assessment; and
- Introduction of mandatory reporting within 72 hours in some circumstances.
How to Prepare?
The changes being introduced by the GDPR are extensive and compliance will take time to implement. We are advising that our education clients take the following steps in order to prepare:
- Appoint a Data Protection Officer if you are required to do so;
- Carry out an information audit to establish what personal data is held and the reasons why, where it is stored, who it is shared with, who has access to the information and how long the personal information is kept for;
- Create a clear record of data processing activities, including consideration of whether it is necessary to obtain consent in certain circumstances and if so, how and when consent was obtained;
- Review your existing policies, procedures and privacy notices to ensure that they are amended to comply with the GDPR;
- Review any existing contracts that will still be ongoing in May 2018 to determine whether any amendments are required so that they are GDPR compliant; and
- Consider what training employees will require ensure that they are aware of the GDPR and how to comply with the rules to reduce the risk of a break and mitigate the consequences if there is a breach.
If you are looking for any more information with regards to our services view our Education section. You can also contact Ruth Rule-Mullen in our Education department via email or phone on 01772 220195. Alternatively send any question through to Forbes Solicitors via our online Contact Form.