For industries across Europe, the General Data Protection Regulation (GDPR) can be a worrying factor regarding the impact on data protection.
However, although it’s one of the most dominant sectors in the world — education is sometimes left unaddressed. To find out more, we’ve teamed up with 2020 Vision, experts in IP CCTV systems…
What is this new piece of legislation?
Knowing the effect GDPR will have on a business is essential, especially those holding a lot of data — but this is even more important for education establishments. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018. Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.
What education centres need to be aware of
Over the years, schools will have acquired a huge collection of data — from past students and current ones too. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.
Schools in the UK currently abide by the DPA and have a responsibility to prevent any data breaches. Although this will still apply once GDPR has arrived, educational practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.
With GDPR set to be implemented in May, non-compliant schools will find themselves paying humongous fines. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.
Data Processor: The data processor, regarding the education sector, processes data on behalf of the data controller. It isn’t part of the school or education establishment itself.
Data Controller: The data controller is the education establishment and it determines how personal data is processed.
Data processors must now have IT asset disposal capabilities — if they do not, the school could face further fines. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.
When looking to the DPA, it can be found that schools do not need to have a contract in place with data processors. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.
What education centres can do regarding GDPR
With your school already in compliance with the DPA, making adjustments to suit GDPR framework shouldn’t be too hard. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.
To make sure you are GDPR compliant, there are many methods that you can take. But the first step is awareness, and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.
The first step for education centres is to conduct an information audit — this will show you who you do and don’t share data with. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.
Once students have left your establishment, after a while, you will want to rid their data from your systems. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.
Ensuring that there is a viable protocol in place to ensure correct steps are taken in the event of a breach is vital. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.