Data protection: key focuses for 2020

Andrew Gallie talks about the three things that higher education institutions should focus on in 2020 when considering their data protection compliance

Technology and data have become increasingly important, and there are some key focus areas for higher education as we enter a new decade…

1. Brexit

The UK’s departure from the EU is the most significant development. How will the transfer of data between the EU and the UK work in practice?

Most higher education institutions are home to a number of international staff and students and conduct business with EEA-based suppliers.

You, therefore, likely need to process personal data internationally as part of your everyday dealings.

It is important that your institution understands the impact that the different scenarios could have on the UK’s data relationship with EEA countries.

The departure of the UK from the EU on 31 January marked the beginning of the transition period, which will last for 11 months until 31 December 2020.

During this period, EU data protection law will continue to apply to the UK. The intention is then for the UK to apply for an adequacy decision from the EU regarding its information security practices.

This would mean that at the end of the transition period, the UK would be deemed to have adequate security in place to protect personal data, and no further action would be required to continue the smooth transfer of information between the UK and EEA countries.

There is a possibility that the EU will not grant the UK an adequacy decision, and this will very much depend on how negotiations fare over the next 11 months.

We recommend that you keep abreast of the latest developments in the process of the UK exiting the EU, to ensure that you will not be required to undertake further action. This will be particularly relevant if the EU does not grant the UK an adequacy decision, as you may need to consider utilising other methods, such as standard contractual clauses, to facilitate the lawful transfer of personal data.

A practical step that can be taken now is to check your contracts with suppliers and third parties for any mention of transfers of personal data with countries in the EEA. These may need to be amended in the event that we leave the EU without a deal.

Higher education institutions hold large quantities of personal data, which makes them an easy target for both deliberate attacks and accidental security breaches

2. Information security

It is clear from the full list of fines levied in the past year that the ICO considers information security to be of the highest priority for organisations who process personal data. By way of an example, the final fine of 2019 was for a failure to ensure the security of special category personal data.

Higher education institutions hold large quantities of personal data, which makes them an easy target for both deliberate attacks and accidental security breaches. With more advanced malicious methods available, as well as the increased risk associated with our reliance on technology, it is vital that HEIs keep up with the latest developments, to prevent them from inadvertently falling foul of their obligations.

We recommend that you conduct a review of your current information security processes and identify any areas that may benefit from a refresher. The point to bear in mind is that your obligation is to demonstrate that you have in place all technical and organisational measures to ensure the security of personal data.

This includes up-to-date firewall and virus scanning software, as well as educating both students and staff about online dangers. For example, you may want to consider running a phishing email to test the understanding of the community and to look for weak spots.

3. Individuals’ rights

Individuals now have more awareness of their rights in relation to their own data, especially in the wake of the Cambridge Analytica scandal. You should, therefore, expect to receive more requests from individuals who wish to exercise their rights.

To prepare for this, you could conduct a review of your current process for responding to such requests efficiently. Staff training is vital, as individuals do not need to state that they are making a request under data protection law, and they do not need to direct it to the most appropriate person (eg the data protection officer). A student may make a request such as ‘May I see a copy of all my feedback forms for this module?’ to a tutor, who may not understand that this is a subject access request that carries with it legal requirements (eg around timescales for response). Staff training ensures that requests do not get missed or mishandled.

Training staff and streamlining processes will assist you in responding to requests in a timely and cost-effective manner, without putting an unnecessary strain on resource.


Andrew Gallie is a partner at education law firm VWV. You can contact Andrew on 0117 314 5623 or at: agallie@vwv.co.uk

You might also like: Casual contract arrangements in HE institutions

Leave a Reply