Are you ready for the GDPR?


21 September, 2016

The General Data Protection Regulation is set to overhaul the data protection regime in the UK. Some questions remain as to how it will be implemented due to Brexit since this is a measure introduced at European level. However, taking into consideration the changes that it brings it is likely to be introduced in the UK in some form regardless of the final outcome of Brexit.

Schools like other organisations should make themselves aware of the key changes that the GDPR introduces. These include:

  • Enhanced rights for individuals - individuals will be provided with easier access to their personal data, enabling them to receive better information about what happens to their personal data once it is shared. This includes a "right to be forgotten" where individuals can have their personal data deleted when the data controller has no legitimate grounds for retaining it, a right of data portability for individuals to transfer their personal data to another service provider and a right to object to profiling. It also makes specific provision for young people under the age of 16;
  • Data processors - it introduces direct compliance obligations on data processors and they may be liable to pay fines for non-compliance;
  • Data protection by design and default - data controllers are required to take data protection laws into account when designing a new product or service. An approved certification may be used as an element to demonstrate compliance;
  • Privacy impact assessments - PIAs will be obligatory in some circumstances, for example, where processing of special categories of data or data relating to criminal offences takes place on a large scale, where a systematic monitoring of publicly accessible areas takes place on a large scale, or where a systematic and extensive evaluation of the personal aspects of individuals based on automated processing (including profiling) takes place;
  • Data breaches - where a data security breach occurs, data controllers must notify the national data protection authority with immediate effect and no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for an individual's rights and freedoms. If the notification is made later, a "reasoned justification" must submitted;
  • Strengthened enforcement - maximum fines will be increased and national data protection authorities will impose fines on a two-tier basis: up to 2% of annual worldwide turnover of the preceding financial year or 10 million Euro (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data protection officers and data protection by design and default, and up to 4% of annual worldwide turnover of the preceding financial year or 20 million Euro (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.

Schools could take a number of steps to prepare for these changes. This may include reviewing policies and procedures within their organisation to ensure that best practice is incorporated, reviewing training that is offered to staff, as well as procedures to deal with data breaches.

Forbes Solicitors regularly advise a range of clients on data protection law and practice. This includes advice on policies, procedures, training, subject access rights and enforcement action for businesses, housing associations, charities and public authorities. To assist your organisation with compliance of the Data Protection Act and prepare for the GDPR our team is able to offer a Data Protection Audit on a fixed fee basis.

If you are looking for any more information with regards to our services view our Education section. You can also contact Daniel Milnes in our Education department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.


Make an enquiry