What is GDPR?
By Kit Good, Data Protection and Information Compliance Manager for University of London
The thriller series ‘24’ punctuates its episodes with an insistent ticking clock counting down to the final showdown. If the data protection people in your organisation are walking round with the same angst ridden expression as Kiefer Sutherland, it’s because they are counting down to the biggest overhaul of data protection laws in 20 years.
What is the GDPR?
On 25 May 2018, the current UK Data Protection Act (DPA) 1998 will be replaced by the General Data Protection Regulation (GDPR). Regardless of Brexit negotiations, the UK will still be an EU member state in May 2018 and therefore subject to this law.
READ MORE: The meanings of the term archive
Subsequently, for universities to do any business with EU countries, we will require an equivalent level of data protection. The UK’s Information Commissioner is advising companies that the GDPR will be the benchmark. Here are some talking points to take your mind off that ticking sound…
More than just fines and security
All the headlines in the industry press are focussing on the big fines, and they are certainly eye catching. The new regulation toughens up the sanctions against organisations that breach the law – the old £500,000 limit is now replaced by percentage of turnover, or €20 million. But the Regulation also states that fines should be ‘effective, proportionate and dissuasive’ – for universities you’d expect that to stay within the six-figure limits. Security is essential, but this is only one of the principles for managing personal data that the GDPR requires. As with the old DPA, the Regulation talks about ‘appropriate technical measures’. This is a moveable feast for which you have to keep planning, checking, and improving.
Know your rights
There are some changes to the existing rights of individuals around their personal data. We can no longer charge for subject access requests, and have to respond to them in a shorter time frame. There are new rights available which may mean some changes to policies and procedures.
Making the small print bigger
Who reads the privacy policies? Well there’s now a requirement to include a large range of information about what we do with personal data in our privacy notices. The idea behind this is to keep your students, staff and customers fully informed about what’s happening with their data. You’ll be expected to keep the font readable and the language clear.
Contracts, consents and more
Like the DPA, the GDPR sets out a number of legal grounds for processing. As course providers, as employers and as service providers, our most common ground for processing is likely to be ‘necessary for the performance of a contract’. When we’re providing optional services, such as marketing to people, we’re likely to be relying on consent and this is very much “consent 2.0” –unambiguous opt-ins and preferences that an organisation needs to hold on record. Other grounds might be relevant for universities ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ in awarding and verifying degrees, for example.
READ MORE: The future is hybrid: the hybrid archivist
Privacy by design
When embarking on new projects involving the personal data of staff, students or customers, we will need to carry out Data Protection Impact Assessments (DPIA). This will become a mandatory part of the ‘Privacy by Design’ approach in the GDPR. A Data Protection Impact Assessment is essentially a checklist that you can use to identify and deal with any data protection issues right at the start of a project. No-one likes to encounter these at the contract drafting stage or on the week of ‘go-live’.
Not just the privacy page
It’s helpful to remember that GDPR isn’t just a niche law for your compliance department. Efficient and trustworthy management of personal data is part of our duty of care to our students and customer service to our clients. Those policies and templates will add up to a better experience for all.
What to do next
In your organisation, find your data protection person and check where they are with GDPR. Assess where your service or function stands in terms of its personal data. Consider what do you hold? how did you obtain it? how are you permitted to use it? how secure is it?
An organisation can have policies and programmes drafted, but these need to be implemented and maintained by networks of people across departments. Co-operation and collaboration will be what delivers GDPR for organisations.
Otherwise the compliance team might have to send in Jack Bauer.