Subscribe to our free fortnightly newsletter and stay ahead with the latest news in HE

Data protection is changing and HE must be prepared

Kerry Beynon, partner at Acuity Legal and data protection expert, shares her expert tips ahead of next year's GDPR legislation

Posted by Hannah Vickers | June 09, 2017 | Technology

All organisations working in higher education will be aware of the Data Protection Act and, hopefully, their responsibilities under it. But, how many are aware that in a year’s time a new regulation – the EU General Data Protection Regulation (GDPR) - will come into force that will not only strengthen data protection, but also impose significant penalties for non-compliance?

What is the GDPR?

Introduced to keep pace with today’s digital economy, the new legislation makes sweeping changes to the current requirements which means existing data protection practices are unlikely to be adequate.

Given its complexity, time is short for ensuring compliance, so you need to start preparing for it now 

Irrespective of Brexit, it will have an immediate impact on 25th May 2018 with monumental fines for non-compliance: up to €20 million or 4% of annual global turnover, whichever is greater. Given its complexity, time is short for ensuring compliance, so you need to start preparing for it now.

Organisations will have to be much more specific about why they want the data and how they intend to use it. This will have to be carefully documented. Even then, individuals will have a host of new rights allowing them to object to certain data processing, to restrict how their data is used and even to have their data erased on a number of different grounds. There will also be onerous responsibilities on organisations to check and correct data that is alleged to be incorrect. 

Individuals will be able to make data subject access requests without restriction and without payment of a fee, to which organisations must respond promptly within a month, as opposed to 40 days currently. Individuals can also request their data in commonly used electronic formats.

What if I don’t do anything?

You might think that your current data protection procedures are good enough, but what if you are wrong? The GDPR has severe fines for non-compliance, and if you are fined, your organisation faces huge reputational damage. Do you really want to take that risk?

What do I have to do to meet the terms of the GDPR?

Essentially, the GDPR is just really good practice under the current regime given statutory recognition in legislation. If you are doing things really well now, you will only have a small step up to comply with the GDPR. But if you don’t, then you’re going to have a lot of work playing catch-up. You should see the GDPR as an opportunity and do it right.  

It’s essential to get early management buy-in. Review what data you collect, how it is collected and why it is collected. Go through the organisation methodically, department by department. Then you need to know where your data is held. Is it held on a server? Where is that server? Is it held on removable storage devices? Do you have encryption software to protect its integrity? Do you send or receive data from a third party and, if so, do you have appropriate contracts in place?  

The GDPR is not just about compliance; you have to demonstrate you are complying and show how. That’s why getting management buy-in is essential. If you are launching a new product or service compliance should be something you consider at the outset and not a bolt-on at the end.

What else should I consider?

Good cyber-security and insurance are essential.  

You need to chart what the threats are to the data you hold, where those threats are coming from and how you are going to respond. As well as traditional external threats, breaches can come from within, from employees and contractors. New technology will emerge that will bring with it new threats as well as new opportunities.

If you haven’t already, carry out a full audit of your organisation’s data use and identify any potential weaknesses as soon as possible. There are plenty of tools and services out there to help you do this.

Remember, it’s not just about the threat of hacking, basic compliance and using data in the correct way are equally crucial.  

Subscribe to our free fortnightly newsletter and stay ahead with the latest news in HE

Related stories

UB September issue out now!

The smart home reloaded - welcome to the intelligent campus

Number of international students studying online soars

Students unwilling to disclose mental health conditions

UB August issue out now!

Students unaware of data use

How can the UK retain its appeal to international students?

Industry partnerships are key to closing the skills gap

Staying energy efficient in uncertain times

Learning analytics, organising the organisation

Market place - view all


ViewSonic® Corporation, headquartered in Walnut, California, is...

Document Solutions

With our experience we help organisations to optimise their entire ...


Zengenti builds the Contensis CMS – the powerhouse behind the websi...


ASK4 is an industry leading provider of high-speed internet solutio...

Meru networks

Meru began with a vision that sooner rather than later most enterpr...

S&C Slatter

S&C Slatter have over 20 years experience as specialists in constru...