The General Data Protection Regulation (GDPR) is almost upon us. Coming into force May 25th 2018, it will affect businesses and organisations all across Europe – including those in education.
Scary as it sounds, the regulation is a positive thing, designed to protect European citizens’ data rights, fight spam, and protect our sensitive information from cyber criminals.
There are some pretty hefty fines if your business fails to comply with the law, so if you haven’t already, it’s definitely time to get up-to-speed and make sure that you are ready for the big shift.
But don’t panic if you’re not quite there yet. There are some steps you can take right now to get your business or organisation ready for the new regs.
1. Enlist the help of your team
The new regs are just around the corner, but for a lot of people, GDPR is still just a vague acronym. It’s important to share the implications of the changes by organising an obligatory information input session on the topic with your team, explaining what it is exactly and what it means for your place of work. If you’re not sure what’s it’s all about yourself, read our article What is GDPR and what does it mean for ELT?.
Data is shared from the bottom to the top of your organisation and across every department, so it’s clear that you can’t do this alone. You will need to have everyone on board and working with you to become GDPR compliant.
For this reason, it might be a good idea to bring in a qualified expert to conduct this session for you, as there could be some tough questions from your team.
2. Nominate a Data Protection Officer
Article 39 of the GDPR requires that you nominate or employ a Data Protection Officer (DPO), a member of your team who has a duty to understand law and a number of key responsibilities.
For example, your organisation’s DPO must:
- Get your team up to speed on their data-related responsibilities – especially those staff who deal with personal data.
- Keep track of your company processes and ensure that it is following the letter of the law. The DPO can conduct training sessions, delegate specific data protection roles, and audit your team.
- Be the point of contact for your company or school with the regulator.
- Help your users, clients or students with queries on their data and ensure their rights according to the GDPR are honoured.
You can read more about the roles and responsibilities of DPOs on DPO Network.
3. Map out your data
Next, you need a get a handle on what personal data you hold, where it is, and how it is stored and shared across systems. That might be easier said than done and, if you don’t yet have a DPO in place, you might require an outside consultant to help you do this.
You have to consider:
- Who you hold data on: this includes staff, students, potential students (or leads), mailing lists, former employees and job applicants, and anyone else you have logged in some way.
- What that data is and why you have it: you need to be certain the data you hold has a specific business purpose. Ascertain whether you store sensitive information (as defined by GDPR), such as financial data, religious beliefs, identification numbers, etc.
- Where your data is stored and how it used: what systems you use to keep this data, how it is transferred between systems, and who has access to it.
- How secure your data is: you must ensure you are taking reasonable precautions to keep your data safe. If it is of a sensitive personal nature, it must also be encrypted.
- How you gathered this data: you must be sure that the personal data you store has been gathered with the explicit consent of each user. Note that if you hold data on children, you must have parental consent.
- Finally, once you know where your business stands, GDPR requires that you document it all.
4. Get ready for data requests
Once you know where your data is, how it is stored and why, you’ll be in a position to fulfil data requests from your users – an important obligation under the law. The full list of data subject rights is outlined in our previous post about the regs.
You should now work with your DPO and team to develop a process to ensure that you are in a position to do this. Bear in mind that you will need to be able to complete most requests within 30 days.
5. Make sure you are being transparent
Transparency is one of the major tenets of GDPR. It’s imperative that your clients (or students) know how you collect, store and process their data.
This also means you’ll need to audit your current privacy terms and statements and make sure they are easy to understand and comply with the GDPR before May 25th.
Your privacy statements must:
- Share the contact details of your DPO
- Outline user data rights (again, see What is GDPR and what does it mean for ELT?)
- Explain how long the data will be held
- Show how the data is processed when collected and explain how it was done if it was not collected directly
- Outline why your data request is legitimate and, if it applies, why it is shared with third parties.
- Offer the chance to complain and the chance to withdraw consent
See more about this on the Information Commissioner’s Office website.
While GDPR feels like a big responsibility right now (and it is!), it’s the perfect opportunity to improve your customer service, cybersecurity and user transparency. Once it’s up and running, the new regs will help protect citizens and make everyone’s online experience safer, fairer and more rewarding.
If you want to find out more about GDPR, your responsibilities, and other key information, head over to GDPREU for some helpful free resources.