Preparing for the GDPR
Andrew Cormack, Chief Regulatory Advisor at Jisc, provides a guide for universities
It’s out with the old and in with the new in May 2018 as the General Data Protection Regulation (GDPR) sweeps into effect to replace the Data Protection Act (DPA).
As the world moves into an ever more digital direction, our personal data and where it is held or how it is used has become a global concern for all of us. The GDPR is the first legislative change in recent years that will address these concerns, with a broad aim to invoke a cultural shift in the way businesses and institutions manage personal data. It has been hailed by the EU as an essential step to strengthening citizens’ fundamental rights in the digital age and allows individuals to object to certain processing and have their personal data corrected, deleted and its use restricted.
While Brexit cast a shadow of doubt over whether the UK could be held to the terms of the GDPR, it seems highly likely that Britain will still be a full EU member by the time the GDPR comes into force. That in turn means institutions in the UK must have their compliance strategies in place by 25th May 2018 or risk being on the wrong side of the law.
What implications will the GDPR have for universities?
The biggest and most striking change to emerge from the new regulation is the increased fine Data Controllers will face for breaches of data security. Compared with the previous UK maximum fine of a paltry £500,000, the new maximum has rocketed to a hefty €20 million, or 4% of the institution’s annual global turnover– whichever is the larger sum. The EU now looks upon data security with a more discerning glare. Introducing the harsher fine will encourage a similar level of diligence among the businesses and universities that operate across the continent.
What’s more, institutions are to be held far more accountable for the protection of the data they hold; the regulation emphasises the need for universities and organisations to maintain internal records of personal data, prepare data protection impact assessments for riskier processes and have clear privacy notices in place informing individuals about how their data will be used.
Institutions are to be held far more accountable for the protection of the data they hold; the regulation emphasises the need for universities and organisations to maintain internal records of personal data, prepare data protection impact assessments for riskier processes and have clear privacy notices in place informing individuals about how their data will be used
Where institutions rely on consent to process individuals’ personal data, they must also be able to demonstrate that this consent was ‘freely given, specific, informed and unambiguous’. For example, the common practice in the services sector of making access to public Wi-Fi conditional on granting consent to receive marketing information will no longer be lawful, since the two are unrelated. This may have implications for processes currently in place at institutions that rely on student consent for processing.
Collaborative research also faces uncertainty as individual member states are left to develop their own safeguards and limitations for research use of personal data. The concern is that a ‘patchwork’ of different data protection and privacy rules will emerge between EU member states, potentially complicating the practice of data sharing for European researchers.
What must universities be doing now to ensure they are ready for May 2018?
The ideal time to start planning your approach to compliance was yesterday, but failing that, the sooner your institution starts making plans, the better. Raise awareness throughout your institution, ensuring key people and decision makers are aware of the law change.
The larger the institution, the more resource implications there are likely to be when implementing the GDPR, so it is important to use the rest of the lead-in period effectively.
Be in the know
Know what information you hold, what you use it for, where it came from and who you share it with. This will bring your institution in line with the GDPR’s accountability principle which requires you to be able to prove how you comply with its data protection values. Conducting an information audit might be a good idea.
Assign a Data Protection Officer (DPO)
Having someone take responsibility for your institution’s data protection compliance with the GDPR will make things a lot easier, and may even be a legal requirement. With the relevant knowledge and authority, a DPO can provide support to others and oversee a smooth transition.
Review your privacy notices
Under the GDPR there are some additional details you must tell people when obtaining their personal data: the legal basis for processing the data, the retention period and the individual’s right to complain to the Information Commissioner’s Office (ICO) if they think there is an issue with the way you’re handling their personal info. This is usually by way of a privacy notice, so review yours and put a plan in place to make any necessary changes.
Ensure an individual’s rights can be upheld
Under the GDPR, individuals will enjoy more enhanced rights than under the DPA. These include the right to:
- Subject access
- Have inaccuracies corrected
- Have information erased
- Prevent direct marketing
- Prevent automated decision-making and profiling
- Data portability
Institutions would be wise to give the above scenarios a dress rehearsal on their systems before the GDPR takes effect.
Review how consent is given
The way you seek, obtain and record consent to process personal data is likely to come under scrutiny under the GDPR, so a review of your institution’s current practices is essential. Consent must be freely given, specific, informed and be a positive indication of agreement – not inferred from silence or inactivity. An alteration in your mechanisms that record consent to data processing may be necessary in order to make proving consent a lot easier.
Data breach drills
The GDPR will introduce a blanket policy for all organisations, obliging them to inform the ICO within 72 hours of suffering a personal data breach, whenever this creates a risk to the affected individuals. For serious risks, such as an identity theft or financial loss, organisations may also need to inform individuals directly.
Institutions must ensure they have the right procedures in place to detect, investigate and respond to a personal data breach when one occurs. Start by identifying the types of data you hold and note the ones that, if jeopardised, would necessitate contacting the ICO. The UK Commissioner has already fined organisations, under existing laws, for poor handling of data breaches. These fines seem likely to increase considerably under the GDPR.
The GDPR will change a lot of the rules, regulations and processes surrounding the protection of personal data. In many cases these changes will benefit both individuals and organisations; better understanding of information flows, more accurate information, and improved security help everyone.
While the upheaval and re-organisation required to come in line with the new regulation will be a bugbear for institutions throughout the EU, the reasons behind it will be beneficial to all. With enough preparation, resources, knowledge and initiative, institutions should have few problems come May 2018.