How universities have to adapt under the new EU General Data Protection Regulation (GDPR)

FULL FABRIC explores how universities will be affected by GDPR and how they can become compliant before 25th May 2018.

GDPR - a new regulation and directive that became effective on May 24th 2016 - will become officially enforceable from May 25th 2018. As the two year transition period comes to a close, universities are expected to have prepared for the changes. For those who haven’t, don't worry - there is still time.

What is GDPR?

GDPR replaces the previous Data Protection Act (DPA), and aims to initiate a cultural shift in the way in which we manage people’s data in the digital age. Essentially, it will give citizens more fundamental rights and autonomy over how their data is stored and used by businesses and institutions, making processes clearer and more transparent. Under the new system, individuals are well within their rights to object to their data being processed by companies and they can have it corrected, restricted or even deleted by institutions. In short, amonst other things, GDPR grants people the ‘right to be forgotten’.

Another purpose of GDPR is to facilitate business by simplifying rules for companies in the digital single market, leading to suggested savings of €2.3 billion, according to a report by the European Commission. Data is undoubtedly the currency of the digital economy today: to put it into perspective, a European citizen’s personal data is estimated to be worth €1 trillion annually by 2020. GDPR aims to strengthen and consolidate Europe’s data protection standards through the design of a single, pan-European law, restoring the trust of the consumer in the process.

GDPR will be applicable to all institutions operating within the EU - even if prospects reside outside of the EU (it also applies to institutions outside the EU if their data processing affects EU citizens). In June, the Queen’s Speech clarified that GDPR will indeed remain part of UK law following the country’s withdrawal from the European Union.

How will the GDPR affect higher education institutions?

The impact of GDPR in higher education will be a profound. Under new GDPR rules, HEIs will become more accountable for the data they possess. As such, they need to have organised records of what personal data exists, as well as documentation explaining why it has been held, how is was collated, who has access to it and when it will be removed or anonymised. 

With this in mind, it makes sense that universities will be required to have a designated Data Protection Officer (DPO) if they don’t already; someone who will be expected to liaise with the Information Commissioner's Office (ICO). The chosen individual must have a comprehensive knowledge of new data protection law and will be required to report to the highest management level in the institution.

As with the DPA, it's more important than ever that universities ensure measures are in place to keep personal information secure. Under the new system, any breaches must be reported to the ICO within 72 hours, and must be reported to the individual whose data has been compromised if the breach relates to identity or financial theft.

There is an emphasis on “data protection by design”; new information handling systems and processes must be developed in accordance to new guidelines outlined by GDPR. In short, personal data must be protected from the very beginning of its lifecycle.

‘Consent’ to use personal data will also be redefined and refined. Universities must now be able to evidence that consent to use information was “freely given, specific, informed and unambiguous,” as outlined in ICO documentation. Certain forms of consent will be outlawed under the new system: for instance, the use of public WiFi to collect data for marketing purposes - a strategy commonly used by public services.

As our expectations of the quality of data protection rises, so do the consequences for not adhering to the protocols put in place by the GDPR. Those who don’t comply can now face fines of up to 4% of annual turnover.

What can universities do to prepare for the GDPR?

It goes without saying: the sooner HEIs start planning and preparing for the new regulation, the better. For some, it’s a big upheaval and can be a strain on resources. The following nuggets of advice will help the journey run just a little more smoothly.‍

1. Know the data inside out

In other words, review, review, review. Universities need to understand what data they currently hold, what data is coming in, and what the sources are together with who has access to it.  Knowing this will ensure that the institution is in sync with the aforementioned accountability aspect of the regulation.

It’s also useful to review the new ICO Privacy Notice Code of Practice and evaluate how consent is currently obtained by the university; also, the basis on which it is shared with third party companies. Institutions should aim to develop a ‘privacy by design’ strategy by implementing Privacy Impact Assessments for new data processing. ‍

2. Assign a data protection officer (DPO)

DPOs with a solid understanding of data protection regulation are an institution’s most valuable asset when it comes to GDPR. They will ‘project manage’ the transition and be responsible for ensuring that the university complies with regulation, whilst acting as an educator, explaining the changes in a way that is both straight-forward and relevant to the institution they are working in. Article 29 Data Protection Working Party has published draft guidance on DPOs. ‍

3. Ensure an individual's rights can be upheld

Arguably, the main point of GDPR is to give citizens more rights and control over their data. Before the new regulation comes to the fore, HEIs must ensure these new rights are properly safeguarded.

Are individuals able to…

• Subject access (obtain a copy of any information held by the institution)
• Correct inaccurate information
• Opt out of direct marketing campaigns
• Prevent automated profiling and data sorting
• Data portability (request and reuse their data for their own purposes)
  

Despite the obvious hurdles, if prepared, institutions and the individuals who operate within them, will begin to see the benefits of GDPR after its implementation in May 2018.

Learn more about the impact of the GDPR in the Higher Education sector in our blog.

If you're a UK university who needs some assisstance with GDPR, you can call the ICO helpline on +44 303 123 1113. You can view the full text of the regulation here.