Will GDPR change the way the education sector operates?

The General Data Protection Regulation (GDPR) has been a hot topic in European media for a while, with talks on how this new legislation can impact different businesses across all sectors. However, although it’s one of the most dominant sectors in the world, education is sometimes left unaddressed. To find out more, we’ve teamed up with 2020 Vision, experts in IP CCTV systems and the security industry.

What is this piece of legislation?

To comprehend what impact this new piece of legislation can have on those operating in education, you need to have a clear understanding of what GDPR is. GDPR is set to strengthen data protection across Europe and will eventually replace the current Data Protection Act (DPA). It will be implemented on the 25th of May 2018. Even though the UK will soon leave the EU after the decision was made in the 2016 referendum, it’s likely that GDPR will be brought into British law by the government and enforced as if it was its own initiative to help unify data protection.

What the education sector needs to know:

Over the years, schools will have collected a strong portfolio of data on students from the past and present, as well as staff who have worked within the institution. More educational institutes acquire surveillance footage of what is happening on a daily basis through the necessary CCTV systems that they have in place. Whether it’s stored in a filing cabinet or backed up on an IT system, there’s a lot of data collected in schools and universities and this will eventually be impacted by the GDPR legislation.

Within the education sector, education centres already have a duty of care regarding the Data Protection Act (DPA) — meaning that all data stored should be protected with the greatest concern to prevent data breaches. Although this will still apply once GDPR has arrived, education practices will have a more intense responsibility of protecting data, no matter what the format is, to ensure that they comply with the new regulation.

Non-compliant organisations may find themselves paying hefty fines as a consequence for not protecting data in the correct manner outlined in this new framework. As schools will currently know, under the DPA, the non-compliance payment can reach a high of £500,000, which is enforced by the Information Commissioners Office. GDPR fines could lead up to £20 million or 4% of global turnover for both data controllers and processors.

Data Controller:

An education centre which decides how data is used.

Data Processor:

Someone who processes data on behalf of an education centre.

Around the subject of data processors, after 25th May 2018, it will become a criminal offence to choose one that doesn’t have the minimum capabilities for IT asset disposal. Education establishments will have to prove that they are working with a credible organisation when it comes to disposal of data.

In the education sector, it’s not mandatory for institutes to have a contract of agreement in place with their Data Processor. However, this is all set to change under the GDPR ruling. Next year, schools will have to have a contract or SLA (Service Level Agreement) in place with who they decide to work with — if this is not enforced, you will be breaking the law.

What the education sector can do about this problem:

Schools are already complying with the DPA, making it an easier process to make the appropriate changes for the introduction of GDPR. However, just because you’re complying with DPA doesn’t mean you’re complying with GDPR, and this will lead you to review and make some adjustments to your current policies.

According to the Information Commissioners Office, there a few steps that those working in education can take to ensure they are compliant. But the first step is awareness, and you need to make sure that people who handle any type of personal data are aware that DPA is changing to GDPR and they need to know about what they can and can’t do, whilst also understanding the consequences.

Education centres should look at who they are sharing data with, then conduct an information audit to see the reasons why. As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do.

Eventually, schools will want to remove data of former students from their system. To do this, you need to consider the students’ rights and this can determine how you delete data or provide data in an electronic format.

In the event of a significant data breach, there must be reasonable procedure methods in place to combat the issue and minimise the leak of data. All staff handling data should be aware of these procedures. It could be beneficial to appoint a Data Protection Officer who can take responsibility for data protection.

As GDPR is set to arrive on the 25th of May 2018, it’s vital that education centres start making the appropriate changes now.