Your data protection obligations as a school are about to change significantly. Under the General Data Protection Regulation (GDPR) – legally enforced from May 25th, 2018 – your school is liable for fines of up to 4% of global revenue (or €20m, whichever is higher) for failures to comply with the new legislation.
The second in our GDPR series, this article provides a detailed overview of the technical aspects of the regulation, giving context specifically to the impact for schools. (Read our first blog to discover why you need to act now to ensure compliance.)
Why the change?
The legislation has been driven as the current law is out of date, given the huge advances in technology and changes to the way organisations use and hold data.
The aim of GDPR is to give more protection to data subjects (you, me, your school employees and students), harmonising legislation across Europe and providing mandatory reporting for data breaches.
Compliance is mandatory. What’s more, the UK government has confirmed that Brexit will not affect the implementation of GDPR. The legislation affects all organisations processing data subjects, including UK and international schools.
How does GDPR affect current legislation?
As the new legislation is a regulation, it supersedes all current legislation. In simple terms this means UK laws and codes of practice will be updated to reflect the obligations of GDPR.
The current framework this will affect includes:
- Human Rights Act (HRA) 1998.
- Data Protection Act (DPA) 1998.
- Investigatory Powers Act (2016).
- Lawful Business Practice Regulations (LBPR) 2000.
- Employment Practices Code (S51 DPA).
- Protection of Freedoms Act (PoFA) 2012.
- Privacy and Electronic Communications (PECR).
GDPR simplifies the principles of data protection from eight to six principles. The new principles are:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity & confidentiality.
What data are you required to protect under GDPR?
In order for you to fulfil your obligations, it’s firstly important for you to understand the definitions of “processing,” as defined by GDPR. According to Article 4, this is defined as:
any operations or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storages, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
In layman’s terms,
this means all your data, whether it’s stored on a server, a database, within a paper file or on your website.
- GDPR requires schools to protect all personal data and sensitive personal data – additional protection is required to sensitive personal data.
- To do this, you need to understand where data is stored, the type of data stored, access to the data and the protection provided to that data.
- Should there be a data breach you need to have plans in place to mitigate and control it.
In practical terms, this means there is a legislative requirement for you to do everything reasonably possible to protect personal and sensitive personal data. To do this, you need to undertake a full data mapping exercise and complete Data Protection Impact Assessments for every type of processing.
How is access to data affected by GDPR?
The principles of Data Minimisation and Integrity & Confidentiality mean that only those people who need to have access to data are permitted to do so.
For the purposes of GDPR, access to data should always be restricted with clear governance procedures in place to gain higher level access. Practically, this means that you need to determine and document which users have access to each and every level of data.
- In most schools the IT department has access to everything – with GDPR this cannot continue.
- You’ll need documentation to evidence why each user type or group has access to specific data.
What security measures do you need to implement?
GDPR requires that you implement appropriate security measures to protect personal data. The definition of what that means is not given in law, but it does allow organisations to factor in cost, scope of processing and risk to the data subject.
The GDPR specifically suggests two technologies to protect data, encryption and pseudonymisation:
- Encryption relates to the protection of data via a key.
- Pseudonymisation relates to anonymising data in part, with identifiable data providing additional levels of protection.
Within a school environment, you can assume that it’s a requirement for all staff devices to have mandatory encryption at a hard disk level. What’s more, all file transfers require suitable encryption and you need to undertake specific Data Protection Impact Assessments for MIS data, the structure and security of the data.
What does GDPR mean for governance structure?
GDPR obligates schools to manage risk and put policies, processes, procedures and a governance structure in place to manage the protection of data. The ICO (UK supervisory body for GDPR) recognises governance in three categories:1. Information Governance
“In general, governance is the set of responsibilities and practices exercised by those responsible for an organisation (e.g the board of directors and executive management in a corporation, the head of a federal agency) with the express goal of: (i) providing strategic direction; (ii) ensuring that organisational mission and business objectives are achieved; (iii) ascertaining that risks are managed appropriately; and (iv) verifying that the organisation’s resources are used responsibly.” NIST SP 800-392. Information Assurance
“The confidence that information systems will protect the information they handle and will function as they need to when they need to.” HMG Cabinet Office3. Accreditation
“Accreditation is the formal assessment of an information system against its Information Assurance (IA) requirements, resulting in the acceptance of residual risks in the context of the business requirement” NCSC - HMG IA Standard 2.
So, you need to take steps to ensure that senior managers and governors understand their obligations for GDPR. With this approach, you’ll be able to implement appropriate policies, processes and procedures, demonstrating confidence in information systems through documentation and an independent assessment of the systems through accreditation.
How does GDPR impact cybersecurity breach procedures?
In the event of a serious cybersecurity breach, you’d have to report it to the ICO within 72 hours.
If you have limited policies, processes and procedures relating to the management and security of information systems – or you’re unable to evidence the management, administration and compliance of the systems operation – then it is highly likely the ICO would take action against you.
- This action could be advisory action, restricting you from processing data, or a fine.
- Even without a cybersecurity breach, you would be breaking the law if you’re unable to demonstrate the effective management of your information systems.
How does GDPR affect risk management?
Recital 76 and Recital 77 of GDPR relates to risk management.
To quote directly, Recital 76 states:
“The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involved a risk or a high risk”
While Recital 77 sets out the following:
“Guidance on the implementation of appropriate measures and on demonstration of compliance by the controller or the processor, especially as regards to the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.
In other words, there’s an objective assessment of risk, so you need a documented risk methodology and risk log associated with the implications of GDPR.
You’re also required to have a risk-based approach to considering the impacts of compliance with the legislation. This means you need to have a detailed understanding of the contextual impact of the legislation and comprehensive documentation to evidence this.
What steps should you take to prepare for GDPR?
In preparing for compliance, we’d recommend you take the following steps:
- Assess your compliance with existing data protection legislation.
- Understand what is changing.
- Define required GDPR compliance in relation to your school(s).
- Undertake a GAP analysis.
- Devise an implementation plan.
In identifying what needs to change in your school(s) you need to be asking:
- Do you have sufficient governance?
- Are you missing policies?
- Is your risk management approach appropriate?
- Do you understand where your data is and who has access to it? Can you demonstrate this through a data mapping exercise?
- Do processes have to change to ensure confidentiality, integrity and availability requirements?
- If data is not centralised, should it be?
- Is pseudonymisation or encryption appropriate? Are there other ways to reduce impact?
- Is there sufficient monitoring and security to prevent exfiltration of data?
- Do you have explicit consent to process data? What was the consent given for?
- Can you comply with the time restrictions required of you for Subject Access Requests or notification of a breach?
How can 9ine help you prepare?
If all that sounds overwhelming, don’t panic. We’re on hand to help you ensure you’re compliant.
- We’ve taken a number of steps to ensure we’re fully prepared for GDPR – this includes changes to our systems and processes, as well as the creation of a new Certified GDPR Practitioner (APM) team with the skills and expertise to support our clients.
- GDPR spans change management, technical systems upgrades, operational management, cyber security and training – As the leading consultancy practice in education, our GDPR management, assurance and governance service provides schools with the confidence on the path to compliance.
Our certified GDPR practitioner team are here to support you, providing independent assurance, support, management and governance in the journey to – and ongoing compliance with – GDPR.
From a readiness assessment and planning and management advice, to ad hoc advisory support, our team are here to help.
Get in touch to find out more about how we can help your school.
And make sure you don’t miss any of our updates as the deadline for compliance approaches by subscribing to updates.