On 25 May 2018, the EU will begin to enforce the General Data Protection Regulation (GDPR). From this date onwards, an infringement of its terms could be met with a penalty and, in some cases, a fine.
Understandably, it’s the fines that have hit the headlines, with a potential €20 million (around £17.8 million) at stake for serious offenders. But there are other sanctions available to ICO, and whether schools will be hit by such astronomical penalties remains to be seen.
To find out what sort of offence can land you in hot water, and to get an idea of the consequences, we spoke to a panel of data protection experts.
What will result in my school getting penalised?
Although data protection may eventually be something Ofsted take into account, ICO doesn’t currently carry out inspections or spot checks.
“ICO does not have the resource and that’s not how they go about doing things,” says Claire Williams, an information and cyberlaw specialist from law firm Mills & Reeve.
“The primary way that schools are going to come into contact with ICO are: if they have a breach, particularly now because it will be mandatory to report a lot of breaches that they didn’t have to before, and if you get a subject access request and the subject is not happy with how you dealt with it.”
What potential action could be taken against a school?
If you report a breach, or an individual lodges a complaint against you, the ICO will investigate and apply the appropriate sanctions. Although the fines have received the most attention, the Commissioner does have other powers at her disposal.
“ICO has what we call corrective powers,” says Williams. “So you can get warnings and reprimands that don’t necessarily have a financial impact.”
A breach or lapse in responding to a subject request is a good sign that you’re not taking your data protection seriously, as far as ICO is concerned, or that your systems aren’t what they should be.
“They have the ability to order you to do various things,” she says. “They can order you to go back and do it again, or to change your methods.
“If they find that your systems are not up to scratch, they can order you to go and improve them. They can set out exactly what they expect you to put in place and if you don’t do it then the ICO will probably then move to fines.”
Limits on processing
Although this penalty is more likely to be aimed at organisations who make a profit from their data dealings, limits and bans on processing is a new part of ICO’s arsenal so worth noting.
“The ability to impose a limitation on what you’re allowed to do with data, including banning you from processing data in certain circumstances, is a bit of a new one, and we’re still not sure exactly how that one will pan out,” says Williams.
As mentioned earlier, fines will absolutely be a last resort as far as GDPR enforcement is concerned, but if ICO decides a data infringement is significant enough, it may come down hard.
“There is a potential to receive large fines,” says Harrex, DPO and information security specialist at thinkdpo.com. “But in terms of the penalties, ICO – at least for now – remains a very friendly and constructive regulator. One of its purposes is to educate people about data protection and to help people to get up to speed, so it doesn't whip out the fines at every opportunity.”
The following guidelines outline how ICO assesses the level of fine appropriate (download).
So will schools actually receive fines?
In a speech at the Association of Chief Executives and Public Chairs' Forum, information commissioner Elizabeth Denham set out her stall in terms of GDPR enforcement:
“If you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair. Enforcement will be proportionate and, as it is now, a last resort.”
Proportionate is a word used alongside most mentions of fines as far as ICO is concerned. This will come as good news to schools, who handle far less personal data than larger organisations, such as the NHS, which was fined £185,000 under the DPA.
“ICO looks at the circumstances of the organisation that it's fining before deciding on an amount,” says Williams. “With the current financial constraints applicable to most of the education sector, I wouldn’t imagine that we’d be hitting the headline fines any times soon.”
The consensus from our experts seems to be that the large fines will be reserved for the bigger corporations, with schools only likely to receive warnings or smaller penalties. But for leadership teams, factoring in even a four-figure penalty could put a dent in resources.
"A fine for any school will impact on the school’s ability to function effectively,” says Guy Dudley, director of Advice and Legal Services at the school leaders' union NAHT. “School budgets are at breaking point, so even a small fine might have a big impact. There’s also the issue of damage to the school’s reputation that would come alongside a fine.”
Who will be held responsible?
These new regulations will impact anyone at a school who comes into contact with personal data, which probably includes all teaching staff. But who will be held responsible?
As a public authority, and an organisation that handles large amounts of sensitive data, you’re legally required to appoint a data protection officer (DPO) – add link to Jamie’s article when uploaded.
However, appointing a DPO, even an external contractor, does not mean the school is absolved of responsibility.
“The focus is on the controller and the fines will also be imposed on the controller,” says Williams. “However, it depends what the organisation has been up to. The senior management at a company can find themselves criminally liable for unlawful processing.
“In January 2018, a firm of loss adjusters were fined for unlawful processing. They’d hired a private investigator who’d behaved inappropriately and the senior managers knew everything that was going on. There were a variety of criminal penalties applied to both the firm themselves and the senior managers because they’d been fully aware of the whole thing.”