The new EU General Data Protection Regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. Whilst many schools, and indeed businesses, that I work with were hoping this would go away, especially in light of Brexit, it has now been confirmed that the UK will be implementing the legislation and as such, is “the elephant in the room” that schools can no longer afford to ignore. So today I thought it would be useful to share some information on what GDPR is all about and what key actions Independent Schools need to be taking to ensure compliance.
By way of background, GDPR has been developed to reflect the changing use of data in the digital world in which we now live. With the digital economy being primarily built upon the collection and exchange of data, including large amounts of personal data, which is often sensitive, there is a need to protect EU citizens’ privacy rights. GDPR is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.
Whilst these aspirations are to be lauded, there is much concern amongst schools and businesses alike as to the reality of understanding and implementing the legislation within their organisation. And whilst the implementation date of 25th May 2018 may still seem a long way off, the reality of the situation is that the changes this legislation requires many organisations to make are so far reaching that they need to start work now in order to be compliant in time.
The new legislation also gives the regulator real "teeth" in terms of enforcement. For example if you do not comply with some of the fundamental provisions in the legislation, such as obtaining necessary consent, you can be fined up to 4% of your total worldwide annual turnover or €20 million, whichever is greater. Equally, penalties of up to €10 million or 2% of your total annual turnover apply for not putting in place adequate security.
In addition, breaches have to be notified to the data protection authority and in some cases the people affected, without delay. This leaves the school concerned highly exposed to reputational damage and potential pay-outs to affected parties.
The situation for schools is further complicated by the fact that the GDPR identifies children as “vulnerable individuals” deserving of “special protection”. As such, schools also need to be aware that the new rules introduce some child-specific provisions, most notably in the context of legal notices and the legal grounds for processing children’s data.
One important element of GDPR compliance is protecting your data from external security threats. Schools are becoming an increasingly popular target to cyber criminals unfortunately, as there is a perception that they are a soft target, not always equipped to spot signs of increasingly sophisticated cyber fraud. Threats like ransomware for example, which I highlighted in my recent blog, are sadly now becoming more and more common in schools. And apart from the financial and operational impact these type of threats have on the school, which can be extremely damaging as they lock pupils and staff out of the system, such malware can also be used to export information. This presents a major risk under GDPR, given the compromised data involves the details of schoolchildren, which could have serious implications if it fell into the wrong hands.
In addition to outside security threats, there are a plethora of other threats to schools’ confidential data, ranging from something as simple as a staff member’s laptop or phone containing school email or data being lost or stolen, through to unauthorized copies of data being made or inadequate starter and leaver procedures for systems access.
There is no doubt that GDPR will have a wide ranging impact on schools, affecting functions as diverse as marketing, fund raising, admissions, HR and ICT, and as such is something that will need much Senior Leadership Team time and planning in order to mitigate the risks and ensure compliance by the deadline.
So what do Independent Schools need to be doing in order to mitigate the risks?
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:
- Identify what personal data you are holding. Bear in mind personal data can be as simple as a pupil, teacher or parent’s name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
- Identify threats to this data. This could include things like cybercrime mentioned above, but also accidental loss by staff, deliberate theft by staff or pupils, lost devices and unauthorised access to data. This is vital if schools are to avoid the fines of up to €10 million that can be levied for unauthorised access to, or disclosure of, personal information.
- Invest in and implement the right technologies to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats. It is vital to realise that a firewall and a piece of anti-virus software are not enough.
- Put together a new or updated data protection policy and train staff on it. This is important as everyone in your school needs to understand their obligations under GDPR and how to make themselves fully compliant.
- Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that all staff are constantly kept up-to-date with best practice around security and data protection.
- Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your school.