General Data Protection Regulation (GDPR) is a new set of European Union guidelines governing how organisations, such as schools, handle personal data. The new regulations have replaced the current Data Protection Act (DPA) and will be legally enforced from 25 May 2018 onwards.
The aim of this guide is to give you a basic overview of GDPR.
What is GDPR and how does it differ from the DPA?
The DPA was introduced back in 1998, which, to put it in context, was the same year that Google was launched. A lot has changed since then, particularly in schools; the quantity of data that schools collect and the complexity of locations in which it is stored have changed dramatically.
Although much of the legislation from the DPA remains in place, GDPR sets out to reinforce certain elements.
Before we go on, it is worth clearly defining what "processing" data means in the context of GDPR. It basically refers to any operation or set of operations performed on personal data, whether that operation is automated or not. That includes collecting it, organising it, structuring it, storing it, retrieving it, and a whole lot else (you can find the official definition here). Schools, you will note, do all of these things with personal data regularly.
- Evidencing compliance: the most significant change from the previous regulations, and the one that schools will need to focus the most resource on, is evidencing compliance. GDPR requires that schools don't just comply with the regulations, they need to be able to show that all processes around data have been considered and recorded. That means keeping a record of what you are doing and when.
- Individual rights: previously, individuals were able to ask to see all data that an organisation held about them, and ask for any inaccuracies to be corrected. This process incurred a fee. Now it’s free and individuals can also request to have their data removed, to withdraw their consent, or to have their data given to them in a portable manner.
- Categories of data: the new regulations have altered the ways in which organisations need to categorise personal and sensitive personal data. Changes include the addition of biometrics and genetics into "special category data".
- Potential fines: under the new regulations, all companies and organisations that handle personal data will be liable for fines of 4 per cent of their annual revenue or €20 million (about £17.7m), whichever is larger.
Enforced in the UK by the Information Commissioner’s Office (ICO), the new European guidelines will continue to be used by the UK on departure from the EU, so holding out for Brexit in the hope that this will all go away is not a viable option.
GDPR’s six principles
If it is starting to all sound quite complicated, then the good news is that GDPR can be summarised as six principles of how companies and organisations should use personal data.
Personal data should be:
- Processed fairly, lawfully and in a transparent manner.
- Used for specified, explicit and legitimate purposes.
- Used in a way that is adequate, relevant and limited.
- Accurate and kept up to date.
- Kept for no longer than is necessary.
- Processed in a manner that ensures appropriate security of the data.
Controllers and processors
While these terms may sound like they refer to warring factions in a sci-fi film, they are in fact used in GDPR to describe the two parties that can be involved in processing personal data.
If you are a school, you are usually a controller.
Controller: the data controller is the person or organisation that decides which data is extracted, which purpose it’s used for and who is involved in the processing.
Processor: the processor is responsible for processing the data on behalf of the controller. Processors must maintain records of personal data being processed and the means in which it’s processed. They can be held legally responsible for a breach. Processors typically used by schools range from photographers to shredding companies or online learning platforms. For each one, the school must have the necessary paperwork in place.
“If a school engages with a third-party piece of software, the school has got to have its own data-processing agreement [for that use],” says Jonathan Harrex, DPO and information security specialist at thinkdpo.com. “The third party’s [data-processing agreement] is not going to be sufficient because the school is the data controller and it has got to determine how the data is processed.”
Records of processing
As part of GDPR’s emphasis on evidencing compliance, schools are required to record every point where the processing of personal data takes place. This could be a large job, but the record doesn’t need to be overly complex.
“It’s just capturing how the processing takes place,” says Harrex. “You need to record what you’re doing, what the systems are, whether there are any third-party contracts, how it’s designed and whether it’s subject to a Data Protection Impact Assessment (DPIA). All organisations processing data are accountable for that data being processed and they have to be able to demonstrate their compliance if questioned.
“If you’re then processing special categories of data, then you need to look at the risks processing that data presents by using the DPIA, and if necessary increase your controls.”
What is classed as personal data?
Personal data is defined by the ICO as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
Personal data could range from pupils’ grades and attendance records to more sensitive information, such as biometrics.
“A lot of schools are now turning to a lot of things like biometrics in order to keep track of what’s happening in their schools,” says Claire Williams, an information and cyber law specialist from law firm Mills and Reeve. “You’ve got to think very carefully about legal basis before you start using that kind of data.”
This "special category data" is subject to a list of conditions for processing because, according to the ICO, “this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.”
As well as satisfying the lawful bases for processing that apply to personal data, you must also identify additional conditions for special category data.
What is a lawful basis for processing data?
You can only process personal data if there is a legal basis for doing so. GDPR lists six lawful bases for processing personal data. Although this effectively replaces the previous "conditions for processing" stated in the DPA, schools now need to determine their lawful basis before processing personal data.
“Schools and other organisations are going to have to think a bit harder about the parameters of each of these legal grounds and about exactly whether or not they do apply to the processing that is going on,” says Williams. “Because for each bit of processing you do, you’ve got to hang your hat on a particular legal ground and you can’t change your mind later.”
The legal basis you use to process data should be included in your record of processing.
The six legal bases:
- Consent: the individual has given consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual.
- Legal obligation: the processing is necessary for legal reasons.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.
Data subjects and the rights of the individual
One of the major changes from the previous legislation is that the rights of the individual (or data subject) have been expanded. Previously, an individual could ask for a school to produce a copy of all their data being held. Now, the school could be asked to delete all that data, produce it in a portable format, or any previously given consent could be withdrawn.
Subject rights under GDPR are:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erase.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision-making and profiling.
What an individual can ask for will depend on what their data is being used for, so understanding the lawful basis is closely linked to responding to requests from individuals.
“The exercising of rights is built on the lawful basis,” says Harrex, “because the lawful basis dictates what you can and can’t do.
"If you take, for example, your processing of data for pay, then your rights with regards to that data are governed by anything to do with income tax regulations, so someone couldn’t ask for it to be erased because it is being processed under the lawful basis of legitimate interest.”
A developing picture
So there you have it. Admittedly, it is a significant change for schools, but all the experts agree that it should not be too onerous once you get your head around it.
And remember, after 25 May, the picture on how GDPR will be enforced will become much clearer; regularly checking these pages will ensure you are fully up to date with any changes that occur.
Find out about how the GDPR will impact your school