Introduction
General Data Protection Regulation heralds the biggest shake-up of European Data Protection Law in over 20 years.
Sweeping changes to the current Data Protection Act (DPA) 1998 will come into force in May 2018 (under the General Data Protection Regulation, or GDPR) and will have serious implications as to how the higher education (HE) and further education (FE) sector holds and processes personal data, whether that of their staff or students.
The sector is becoming increasingly data-driven as it explores technology solutions which will bring real benefits and insights through the processing of personal data. Both FE and HE organisations and service providers will need to be aware of these new data protection regulations and how they will affect them.
The Information Commissioner’s Office (ICO) has confirmed that GDPR will become part of UK law in May 2018 despite the implications of the Brexit negotiations. The UK government has announced a new data protection bill in the Queen’s speech and indicated that it will be substantially similar to the GDPR.
We have prepared this guide to assist colleges, universities and other higher education institutions to understand some of the key changes which will be brought about by the GDPR. Over the next few months we will produce more focused guidance on specific areas of interest or concern for the higher education sector.
What are the changes?
Key changes include:
Accountability measures
There will be stricter rules requiring organisations to put in place (and implement) policies and documented procedures which not only serve to ensure compliance with the GDPR but also to evidence that compliance.
Full documentation and record-keeping will be important to help avoid or reduce fines, eg proving that proper consents were obtained, where necessary.
Organisations should conduct an information lifecycle audit to identify and document how personal data is collected, accessed, shared, analysed, and retained.
There are real benefits to organisations conducting an audit of this nature, and keeping detailed and accurate records of their processing activities. Not only will it ensure compliance with the new accountability measures, and lessen the regulatory risk, but will better enable organisations to use that data in research, collaboration, and learning analytics projects (as examples), in the knowledge that the data is accurate, up-to date, and can be fairly and lawfully used for the relevant purposes.
Privacy by 'default' / 'design', and data protection impact assessments (DPIA)
Organisations will be obliged to implement "data protection by design and default", including security by design and default, which is aimed at building in data protection from the outset.
As a way of ensuring this, before commencing any processing likely to result in a high risk to individuals, such as profiling activities, organisations will have to carry out a review of that envisaged processing to assess the privacy risks to individuals, and identify measures to address these risks and demonstrate compliance with the GDPR.
Where the DPIA indicates that the processing would be high risk, in the absence of measures by the organisation to mitigate that risk, it will be required to consult with the supervisory authority before being able to process that personal data under the GDPR. The supervisory authority will be able to suspend or even ban the processing.
Organisations should develop a DPIA template with clear guidance on:
- (i) When DPIAs should be carried out
- (ii) The relevant stakeholders who should be involved in the process (including the data protection officer)
- (iii) When and how any proposed high risk processing should be escalated to the supervisory authority for consideration
Higher standard for valid consent:
Where organisations rely on consent for processing, the GDPR will introduce a higher standard for this to be valid; it specifically prohibits silence, inaction or pre-ticked boxes as being a means to obtain consent. Failure to have the proper consents in place can expose an organisation to the risk of a higher tier fine.
Organisations will need to assess the processing activities for which they rely on consent, and if necessary, take steps to "re-paper" those consents.
Statutory liability for processors
Processors will have a new, statutory obligation to implement appropriate security measures to protect the personal data made available to them by organisations. In addition, they have an express obligation to notify the organisation of security incidents "without undue delay".
They may also be exposed to claims for financial damage or distress by individuals affected by the security incident, who may choose to sue whomever in the supply chain is perceived to have the deepest pockets.
This change means that students and staff (being the most common "data subjects" in technology contracts) can choose to bring claims directly against IT providers if their security failures cause those individuals loss.
Mandatory breach notification 72 hours (where feasible), and notification to affected individuals
Organisations will have to notify the supervisory authority of a security incident (unless a low risk incident or one not involving personal data) within 72 hours of becoming aware of it, "where feasible". Individuals will need to be notified where the occurrence of the incident could cause a high risk to their privacy rights/serious harm.
Organisations will need to review their current procedures for identifying, escalating, mitigating and reporting breaches, in order to assess what changes might be required to those procedures in order to meet these new requirements.
Increased data subject rights
Data subjects will be afforded greater rights as they will be able to request relevant information which will have to be provided free of charge and within one month, unless the request is complex in which instances a further two months may be granted.
They will also have additional, new rights, such as the right to data portability and the highly-publicised right to be forgotten.
Organisations will need to assess their current processes to understand whether they will, in practice, be able to comply with the tighter response timescales, as well as the new rights.
This will likely also require an update to internal policies, and potentially even a change to some systems (which could come at a cost).
Reputational damage and administrative fines
As security breaches receive greater publicity and criticism, Organisations should be aware of the serious reputational damage which can be caused to them (and to the sector as a whole) through poor data processing practices. There could also be very significant financial repercussions for organisations which breach the GDPR, which will introduce a new regime of administrative sanctions in two tiers.
The lower tier is the greater of €10 million or 2% of an organisation's worldwide annual turnover of the preceding financial year, and the higher tier is the greater of €20 million or 4% of an organisation's worldwide annual turnover of the preceding financial year.
Lower tier fines will apply where eg: an organisation does not have GDPR-compliant clauses in a contract, does not carry out a data protection impact assessment when the GDPR requires, or does not notify security incidents to the supervisory authority and/or individuals within the required timescales.
Higher tier fines will apply where eg: the organisation breaches the GDPR principles (which, broadly, reflect the eight principles of the Data Protection Act 1998), breaches any of the data subject rights (eg does not respond to subject access requests), or transfers data outside the European Economic Area (EEA) without having adequate safeguards in place.
Greater transparency around data processing
More information will have to be provided to individuals about what personal data is being collected, for what purpose, for how long and to whom and to where it is being transferred.
Organisations will need to consider when and how best to convey to students and staff how they use their data. These new requirements are very prescriptive as to what must be included in the privacy notice, and doing so in a "clear" and "concise" way (as the GDPR requires) could prove challenging.
Profiling
The GDPR specifically defines "profiling", making it clear that profiling is considered to be a form of automated processing on which decisions affecting individuals could be based, and to which individuals could object.
Accordingly, use of big data and other forms of analytics could be considered "profiling", and so organisations which conduct profiling will be required to implement the necessary safeguards, and include processes for handling requests for human intervention/ review where appropriate.
As an example, organisations will need to consider if the manner in which they perform wealth screening could be categorised as "profiling", and (if so) will need to take the appropriate measures required by the GDPR.
Minimum mandatory contractual provisions in data processing clauses/ contracts
The GDPR requires that new, prescriptive obligations are included in data processing clauses / agreements, including flow-down of those obligations to sub-contractors, to which some service providers (eg cloud providers) may have difficulty agreeing.
Organisations will need to consider their approach to the procurement of IT services carefully (especially cloud).
While some suppliers may be more receptive to agreeing new contractual clauses, many will contract on their own standard terms and will tend to refuse to change them for "just one customer", instead opting to update their terms according to their own internal timetable.
Tighter rules on international transfers
Restrictions on transferring personal data outside the EEA (eg to data centres or accessing remotely from outside the EEA) will generally be tightened up, noting that the higher tier of fine applies to breaches of the data transfer rules. Under the GDPR the current safeguards (eg model clauses and Privacy Shield) remain available, but self-assessment of adequacy will no longer be a route to compliance.
Organisations will need to consider whether their existing international data transfers (whether to other organisations or to IT suppliers for example) comply with these data transfer rules and take remedial action if necessary.
Territorial scope
Non-EU controllers and processors will be caught by the new regime where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour.
Data protection officers (DPOs)
Organisations whose core activities involve large-scale monitoring or large-scale processing of sensitive data or data on criminal convictions may be required to appoint a DPO.
In our experience, most HE and FE organisations have now concluded that awarding degrees involves “large-scale monitoring” so are appointing or assigning DPO roles and responsibilities. A DPO must operate independently and must not take instructions from their organisation.
What you should be doing now
- Put together a GDPR implementation task force
- Start the process, where applicable, of appointing a data protection officer (DPO)
- Conduct an audit of what personal data the organisation holds, how it is being used, to whom it is being disclosed and to where it is being transferred
- The GDPR advocates taking a risk based approach; through the audit identify your systems and services that present most risk and focus on mitigating these
- Start reviewing data protection clauses used (both for templates and live negotiations) in supplier agreements to include the mandatory GDPR clauses
- Review breach notification and management systems and procedures, including draft notification forms for both notifications to the supervisory authority and affected individuals
- Review IT systems and internal processes to ensure that an individual's data can be captured both for the purpose of data portability (ie passing a copy to the data subject or another controller), but also to enable such data to be deleted easily when no longer needed
- Review and update student and staff privacy notices to reflect the new transparency requirements of the GDPR
- Develop a template DPIA assessment to be used in any high risk projects
- Review existing processes and procedures for subject access requests, including the development of template response forms and assessing whether the one-month response deadline could be met
- Start putting together training materials to raise staff awareness of the new rules under the GDPR
Future guidance
We welcome the opportunity to provide further guidance to the sector on GDPR. We have identified a number of areas that may be of particular interest or concern to the sector and we will release guidance over the next few months. In some cases we are waiting for final guidance to be issued by the ICO and/or the Article 29 Working Party. We will begin with more detailed guidance on data sharing, followed by cloud contracts.
If you would like any further information in the meantime, contact us: dataprotection@jisc.ac.uk.
This briefing is not an exhaustive summary of the GDPR. It is a summary created by Jisc for the education sector and does not constitute legal advice. You should consult a suitably-qualified lawyer on any specific legal problem or matter.