Guidance from the Article 29 Data Protection Working Party has been issued on the approach schools should take when considering fines for data breaches and non-compliance of the GDPR.
The new guidance aims to support EU supervisory authorities to take a consistent approach in the application of effective, proportionate and dissuasive A83(1) action.
GDPR planning tips
Schools can use this guidance to assess the adequacy of GDPR planning, and consider whether they meet all obligations.
When reviewing a breach and an application of a fine for a breach, the guidance requires supervisory authorities to determine the nature, gravity and consequence of the breach, and the damage it can have in terms of:
“Discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage” (Recital 75, EU GDPR).
Schools will then be required to assess the number of data subjects involved in the breach, to identify whether the event is:
- A one-off and isolated.
- Part of an entire system breach.
- A fault in the routines that are in place.
To combat these issues, the new guidance provides 11 considerations to help determine a fine or action.
- The nature, gravity and duration of the infringement.
- The intention or negligent character of the infringement.
- The action taken by the controller or processor to mitigate the damage suffered by data subjects.
- The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by the them in regards to Articles 25 and 32 of the GDPR.
- Any previous infringements by the controller or processor.
- The degree of cooperation with the supervisory authority, in order to fix the infringement and mitigate the possible effects of it.
- The categories of the personal data affected by the infringement.
- The manner in which the infringement became known to the supervisory authority and to what extent the controller or processor notified the infringement.
- Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with the same subject matter.
- Adherence to approved codes of conduct in regards to Article 40 or approved certification mechanisms in regards to Article 42.
- Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained or losses avoided from the infringement.
To summarise, supervisory authorities should assess the impact of the breach versus the relativity of the data subjects impacted and the population.
What this means for schools
When considering this for a school, a way to determine whether you may be receiving a fine would be to think about the following in the case of a breach:
- Your understanding of what a breach is under the GDPR and the obligations of your data controller.
- The assessment of the impact of the breach in terms of the damage it could have on data subjects. Is the breach likely to result in a risk to the rights and freedoms of the data subject? (Please refer to Recital 75 above).
- The impact of the breach against the number of data subjects involved versus the total population (e.g. the number of students or staff in your school).
- The protections you had in place to mitigate the breach and the evidence you have that demonstrates your confidence in the effectiveness of those measures.
- The protections you had put in place given the obligations of Article 32 (Security of processing and Article 25 Data Protection by Design and Default).
- The quickness and effectiveness of the mitigating steps to minimise the impact of the breach.
- The timeliness of reporting the breach to the supervisory authority and the efficiency of your communication with them.
So what can your school do to mitigate risks of a fine?
Here are a few simple steps:
- Download the 9ine GDPR Readiness Toolkit here.
- Identify what professional training is required for each person with a responsibility for the GDPR. At 9ine we have developed accredited courses to help. There are a few remaining places in London on the 13 - 17 November, and in Sheffield on 20 – 24 November. To confirm your space, email: firstname.lastname@example.org
- Receive a free independent professional training session from 9ine in association with Microsoft when you team up with colleagues from 10-15 local schools (subject to availability). Contact us for more information.
- Assess your IT architecture and operations in accordance with the 10-steps to Cyber Security. Our independent technical assessments enable you to do this.
- Work with 9ine to complete your data mapping, update your school privacy notice and update your third party contracts with the relevant GDPR clauses.
- Put in place robust GDPR policies, processes and procedures that will enable you to demonstrate compliance.
It’s important to remember that the GDPR is equally split between governance, data protection and cyber security.
The GDPR states that organisations need strong governance and assurance that they have the confidence and metrics that compliance is applied, and accreditation – following codes of practice and a third party audit.
For more information about 9ine, and how we can help you with GDPR, contact us.