You may be wondering why we need new privacy laws. As it stands, data privacy laws vary from country to country within the EU, with little harmonisation. This causes confusion, reduces trust and ultimately undermines the effectiveness of data privacy laws. The GDPR is intended as a 'one-stop-shop' bringing with it a high level of alignment across the European Union. This of course also makes it far easier to administer and enforce.
The following are the key elements of the GDPR. We'll be going into the details of each one of these in future blog posts. If you're not already subscribed, you can get email alerts as soon as we publish new articles.
Who this law applies to.
Every organisation whose activity in the EU involves the processing and use of EU citizens' data. This includes schools and the suppliers they use to manage their data, (e.g. suppliers of school management software like MySchool).
What data this law applies to.
The GDPR is concerned with the use and storage of personal data, anything from names and addresses, to health information and cultural profiles. This very likely includes student academic, attendance and discipline data along with parent and donor addresses, contact and demographic information.
Accountability. A very significant change.
By far, the most significant change over the existing data laws is the emphasis on accountability. You will be expected to put comprehensive measures in place to protect data and critically, you must be able to prove you've done this or potentially face extremely hefty fines.
Compliance and Fines.
The cost of non-compliance can be extremely high. Under the GDPR your local Data Protection Authority (DPA) will have a number of mechanisms to enforce the law.
Your DPA will likely take several 'corrective' steps to encourage compliance before finally resorting to a fine. Based on an assessment of the infringement, these steps might include: onsite audits, warnings, reprimands and stopping you from processing data.
Depending on the severity of the infringement, failure to comply may result in a fine of up to 4% of your annual turnover OR €20 million, whichever is higher.
While it is still unclear how aggressively enforcement of the new law will be, it is widely expected that DPAs across Europe will be more pro-active under the GDPR than under the current data laws.
Key elements of the GDPR
Use Plain Language
You must be able to prove you have obtained freely given, informed consent to use the individual’s data and prove you are using it legitimately. This includes parental consent for children. GDPR: ARTICLE 7
Access and Portability
Make it very easy for people to access their data, challenge its accuracy and rectify it. They must also be able to move and copy their data to reuse it for their own purposes across different services if they want to. GDPR: ARTICLE 20
Along with access, people must also be able to request the erasure of their data when there is no longer a legitimate requirement for its continued use or storage. This is known as the ‘right to be forgotten’. GDPR: ARTICLE 17
You must inform data authorities of data breaches, i.e. a breach of security leading to data loss, unauthorised access or theft. In some cases, the affected individual must be notified if there is a serious risk to them.GDPR: ARTICLE 19
Automated Decisions by Profiling
If you use profiling as part of an automated decision process, (e.g. enrolment based on health, belief, behaviour etc.) you must make sure there are safeguards in place, and offer the individual the right to contest the results. GDPR: ARTICLE 22
If you use personal data for marketing purposes, in any way, you must give individuals the ability to opt out. Known as the right to object. GDPR: ARTICLE 21
You will need to provide extra safeguards to protect 'sensitive data' e.g. the use of health, race, sexual orientation, religious and political beliefs require additional restrictions. GDPR: ARTICLE 9
Data Transfer Outside the EU
If you transfer data outside of the EU, additional requirements must be met to remain in compliance. GDPR: Chapter: 5
Data Protection by Design
The GDPR requires all new projects that include the processing of personal data to include privacy considerations from the very beginning of the project. GDPR: ARTICLE 25
It will be illegal to use a data processing service provider that doesn't meet the GDPR requirements. Service providers must prove their privacy and security credentials via related accreditations such as ISO27001 Information Security certification. GDPR: ARTICLE 28
For many schools the appointment of a DPO will be mandatory. The DPO will take responsibility for data protection and should be appointed sooner rather than later to meet compliance demands. GDPR: ARTICLE 37