Elizabeth Denham, the UK’s Information Commissioner, has flagged the introduction of the General Data Protection Regulation (GDPR) as a significant future challenge for her office in the Information Commissioner’s Office (ICO) annual report. This announcement highlights the magnitude of the change programme but also highlights the need for education institutions to prepare for the impending rule changes now to help mitigate substantial financial and reputational risks arising from issues of non-compliance.
The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizens’ personal data, regardless of borders or where the data is processed.
The regulations, which come into force in less than a year’s time on 25 May 2018, will transform how education institutions need to store and manage personal data. A failure to comply with the new rules could see institutions facing significant penalties of up to €20m, or four per cent of annual global ‘turnover’.
The new rules include additional requirements in respect of consent, and institutions will need to ensure all those involved in handling personal data within the institution are appropriately trained. For education institutions personal data is wide ranging, from current staff and students to parents and former students. Any data from which individuals can be identified is considered ‘personal data’ so this covers paper-based and digital, written and photographic.
I have added a specific Data Protection video for the Education sector and a Data Protection Self Assessment Toolkit on our WTPN Website resources page to help and have requested a speaker from the ICO for our next meeting, will keep you updated if im successful with that.