General Data Protection Regulation - are you prepared?

04 September 2017

Elizabeth Denham, the UK’s Information Commissioner, has flagged the introduction of the General Data Protection Regulation (GDPR) as a significant future challenge for her office in the Information Commissioner’s Office (ICO) annual report. This announcement highlights the magnitude of the change programme but also highlights the need for academies to prepare for the impending rule changes now to help mitigate substantial financial and reputational risks arising from issues of non-compliance.

The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizen’s personal data, regardless of borders or where the data is processed.

The regulations, which come into force in less than a year’s time on 25 May 2018, will transform how academies need to store and manage personal data. A failure to comply with the new rules could see education institutions facing significant penalties of up to €20m, or four per cent of annual global ‘turnover’.

The new rules include additional requirements in respect of consent and institutions will need to ensure all those involved in handling personal data within the institution are appropriately trained. For academies, personal data is wide ranging, from current staff and students to parents and former students. Any data from which individuals can be identified is considered ‘personal data’ so this covers paper based and digital, written and photographic.

Due to the amount of data, this could be an extensive two-fold process. The first step is to identify what data is currently being held, by whom and for what purpose; and the second stage is addressing the GDPR requirements for all held data.

An important factor is to ensure an academy’s data processes protect the rights of individuals. Therefore, an organised data protection programme is needed, with all data activities accurately recorded. There is an increasing requirement to produce an inventory of personal data to facilitate wider data governance. Moreover, data governance obligation extends to any third-party contractors or partners working with a business, and will present institutions with much greater legal liability in the event of error. Education institutions also often share data with third parties, for example with examination boards, or in respect of sector data, such as SEND and NEETs.

In the full article, our technology risk assurance partner provides his five top tips to prepare – download now.