Briefing

New data protection regulation: 450 days and counting. What should you be doing now?

Posted by: Owen O'Rorke | Date posted : 23/02/2017

The General Data Protection Regulation (GDPR) will take effect in the UK, and across the EU, on 25 May 2018 – in a little over 450 days' time. To help focus the mind we have christened this "DP-Day".

The basic structure of data protection law will remain the same after DP-Day, but the compliance burden will increase significantly on data controllers, including schools (and some data processors – including your IT providers). There are plenty of professional scaremongers about GDPR out there, but just as many data controllers still hiding their heads in the sand. There is no doubt that the new regulatory environment brings new compliance challenges, on top of already clear trend of stricter enforcement. To date independent schools may have avoided the harshest forms of penalty, cushioned perhaps by charitable status, but many will have noted with concern that since December last year the ICO (the relevant regulator) has embarked on a new course of issuing substantial fines to charities.

Therefore schools should be using the diminishing window to get ready well before the new law applies. We are already well into the 2 year transition, and have been since 25 May 2016, and there is no further grace period for adjustment once DP-Day hits: the ICO expects you to hit the ground running. This very quick summary of action points is aimed at those who have perhaps been slow out of the blocks.

  • Identify a compliance lead within your organisation, and raise awareness. Even if you do not require a Data Protection Officer by law under the GDPR (and the position is still unclear with schools), you will need someone within your school to take responsibility and know their stuff – whatever their job title. This does not have to be a stand-alone role (your bursar or your DSL may have some of the skills necessary, if not the bandwidth) but it is important not to silo this as an "IT issue". Data protection compliance is a top-down issue and goes far beyond your cyber set-up.
  • Ensure you are on top of the ICO guidance. There is some GDPR material already available on its website, although far less than was expected at this stage. The diversion of Brexit was perhaps to blame for this backlog, but since government confirmation that the GDPR will take effect as planned, a busier programme of new ICO guidance is now expected in 2017.
  • Carry out a mini-audit of the personal data you hold and use, and why. We can provide a simple matrix for this if required. Questions include:What nature of information do you hold on individuals? Where does it come from? What do you use it for? Do you share it with others?Are parents, pupils and ex-pupils fully aware of what you are doing with their data? Where you are relying on consent, will your existing consents (e.g. parental or alumni consents) be valid under the GDPR?
  • Identify any areas of potential vulnerability or gaps in your organisational knowledge. Focus on these with the relevant people at the school, or external advisers if you have particular concerns.
  • Table a review of your contracts. Consider also whether changes are needed to the parent contract (to capture better consents) and the wording of information collection forms (on pupils applying, joining, and leaving), as well as your contracts with third parties where there may be a data security aspect (IT services, hard copy and digital storage, even cleaning contractors). Where the terms of these contracts run beyond 25 May 2018 then the effect of the new law will already be relevant.
  • Work on your policies (if you have not done so recently already). Remember, this issue goes beyond your data protection policy for pupils, parents and staff (though this is one area where the ICO has issued new guidance here). It may also require consideration in the context of IT policies, CCTV and use of images, staff training and safeguarding / bullying policies (namely in safe and responsible information sharing protocols). That is not to say that GDPR will make any of these harder or more impractical, but (noting especially the additional rights granted to individuals to control how organisations use their data) it does emphasise the need to think about all these issues in the context of the regulation.
  • Conduct a "privacy impact assessment" before embarking on any new major projects or policy changes (say, a fundraising campaign, IT restructure or privacy policy update). Under GDPR you must plan around privacy impact from the outset, and the fall-back position must be no less than compliance.
  • Get familiar with new or changing concepts:
  • Registration. The need to notify your activities on a central register will be abolished as a requirement of European law, but may be replaced by a levy.
  • Applicability. For the first time, data processors such as cloud storage providers or intranet hosts will have direct obligations under the law (and your contracts with them will need updating).
  • Consent as a basis of processing: tougher rules on what constitutes legal consent (including for marketing). ICO guidance is already overdue on this.
  • Legitimate interests as a basis of processing: tougher rules apply here too. Under GDPR, an individual will be able to challenge your reasons for using their data and prevent further processing unless you show "compelling" legitimate interests – so the burden is on the school. Recent ICO decisions about how charities use data make for a clear indicator that enforcement of the existing law is already heading in this direction.
  • New and expanded data subject rights: We will not set these out in detail here, as their impact will not be felt until DP-Day itself hits, but they increase the imperative for getting your business GDPR-ready. Schools already used to dealing with intrusive data subject access requests will find these rights are supported by an additional arsenal of other rights enabling a person to object to certain ways in which his or her data is used.
  • Transparency and accountability. These buzzwords occur throughout the GDPR. Much fuller information is required from data controllers about what they do with data and what people can do to stop them. On demand, the burden lies with data controllers to demonstrate compliance with the data protection principles.

We appreciate this is already a lot to take in, but specific updates on the GDPR [and information law are also available via our newsletter Information Matters (see here) but] will continue to form a part of the Schools Report where we feel it will be of interest to schools as DP-Day approaches.

If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'rorke@farrer.co.uk) or your usual contact at the firm on 020 3375 7000. Further information can be found on the Schools page of our website.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, February 2017