New data protection laws will be introduced from next year carrying substantial fines for organisations who fail to observe the new rules.
The General Data Protection Regulation (GDPR), which will replace the Data Protection Act in May 2018, will apply to all organisations including academies and charitable organisations.
The GDPR will tighten the rules associated with the storage and handling of personal data. Organisations will be forced to maintain a thorough record of how and when an individual gives consent to be contacted, while individuals who opt to withdraw consent must be deleted from storage permanently.
Among others, these measures will permanently alter the scope of schools’ marketing activities.
Joanne Smith, chief executive of consultancy TCC Group, said the main surprise to trustees may be the “vastly increased level of fines for non-compliance.”
Under the GDPR, the Information Commissioner’s Office (ICO) can issue fines of up to four per cent of global turnover, or 20 million euros (£18.3 million), whichever is the higher amount. Comparatively, current rules mean the ICO has the power to charge just £500,000.
Mark Orchison, managing director of 9ine Consulting, said that schools faced a “significant amount of work” to become compliant.
He said a designated data protection officer could spend up to three days a week on data commitments, while out-of-date IT equipment may also have to be replaced.
The key DOs and DON’Ts for GDPR include:
- DO maintain a record of how, where, and why consent was obtained
- DON’T use consent by default to store data
- DO delete personal data when an individual exercises his or her right to be forgotten
- DON’T further process data in a manner that is incompatible with its original purpose
- DO report a breach to the relevant authority and affected individual/s
- DON’T leave more than 72 hours to report it
- DO inform your employees about cyber security best practice
- DON’T wait for GDPR to come to you. Seek assistance now
B J Chong, a Partner with Palmers, who specialises in company law issues affecting the education sector, said: “This is an important new piece of legislation which will affect all UK businesses and schools alike. The penalties for non-compliance are extremely high, with fines of up to four per cent of turnover, or 20 million euros, whichever is higher.
“A potential breach could not only lead to a huge fine but also cause reputational damage to a school. It is important, therefore, to ensure that your organisation is fully up to speed with the full implications of GDPR, well in advance of May 2018.”
For help and advice on the implications of GDPR on the education sector and how your organisation can be fully prepared for the new legislation, please contact us.