Businesses across Europe are gearing up for the 25th May 2018 when the General Data Protection Regulation (GDPR) finally comes into effect.
The objective of GDPR is to protect citizens’ data rights and to unify disparate data protection laws across Europe. It supersedes all current data protection acts in Europe (including the United Kingdom) and there are some significant changes to be made.
The new regs will apply to companies both big and small that manage or process personal data of EU residents and any companies that monitor customer or user behaviour. In certain instances, failure to comply with GDPR could result in a maximum fine of €20 million or 4% global annual turnover of the data controller, whichever amount is higher. Despite the eye-watering repercussions of not getting into shape, just 15% of organisations expect to be fully compliant by May 2018, according to a survey by Deloitte.
The English Language Teaching industry, like so many others, is awash with personal data. Language learning institutions and publishing houses must review how they are collecting, storing, and managing data and ensure that their processes conform with regulations, or the punishment will be costly.
So, what do you need to know about GDPR? How will it affect publishers and schools working in ELT? What resources are out there to help you learn more about it?
What ELT publishers and language schools need to know
The GDPR covers any personally identifiable data your company might store on students, customers, staff or sales leads. This means, if your data could, in theory, be associated to the person in question during a data breach, it is covered by the act.
There’s no limit to what this data could include. However, companies and organisations operating in the ELT space will most likely to be concerned with employee data, online attendance registers, exam results and associated data; data stored in company-run blogging platforms (including on third party platforms); CRM tools and database software; social media tools and apps that harvest user information; mailing lists; purchase history; financial data (e.g. bank or credit card details); website login details. For starters.
From a business standpoint, the GDPR affects two subsets of people: data controllers and data processors.
Data controllers are people who decide what data is collected, what it is used for, and how it is stored; language schools and publishers are most likely to be considered to be data controllers.
Data processors house or manage this data for the data controllers; online database software, mailing lists, and other Software as a Service (SaaS) companies would fall into this bracket.
What language schools need to know
GDPR and children
One significant change to current law is the move to further protection of children’s personal data.
It is especially important to understand this if your school offers online services to learners aged 16 and under. This might include language classes, certain club or group memberships, a blogging platform, learning apps with a log in, or other digital services that require the user to log in with personal information.
In all cases, you must ensure that you have verifiable parental consent to collect this data and that the language of the agreement is written so that children can understand it.
What should you prepare for?
Individual rights, access and consent
First of all, make sure that you have permission to store the data you currently have. Agreements need to be easy to understand and must be opt-in (i.e. no tick to opt-out). They should also break down exactly what the data will be used for and you will need different verifiable permissions for different data uses. Furthermore, it must be easily withdrawn and you will need to keep a clear record of the data you store.
In some cases, you may have to ask your current users to refresh their permissions in order to comply.
Under the law it is also your obligation to treat all data securely, which could include using encryption software to ensure that, if there is a hack or leak, the data will remain unreadable.
Right to be informed
Individuals have the right to find out exactly what data you have on them. You should freely supply concise information that is easily understood. It should also be easy to access and transparent. In the case of language schools, this means it should ideally be supplied in the learner’s native language.
Right of access
Your students and customers have the right to access their data, to find out what is being processed, and how, where and why it is being processed.
Right to rectification
Your customers and students have the right to demand you fix any inaccurate data that you hold on them; this includes data you have passed to third parties.
Right to erasure
Other than in certain specific cases (e.g. in legal cases), your students or customers have the right to demand you erase their personal data. This includes when the data is no longer relevant or necessary for its original purpose, when they withdraw consent, when they no longer wish to be processed, when it has been obtained illegally, or when the data belongs to a child and there is no consent.
Right to restrict processing
If the data you hold on a student or client is inaccurate, they have the right to expect you will restrict your data processing until it is rectified.
Right to object
You have to tell students and clients of their right to object in your Website Privacy Notice and in your first communication with them. They have the right to object to their data processing unless you have legal grounds or legitimate reasons that supersede the rights of the individual.
Right not to be subject to automated decision-making
Individuals have the right to expect their data is processed and decisioned by a person, not a machine, unless the individual consents, it is authorised by a specific country to which the data controller is subject to, or it is needed to enter into a contract.
Right to data portability
People have the right to recover and reuse the data you have on them for their own purposes. They should be able to easily transfer their data to other service providers – such as service comparison platforms.
Your next steps
The GDPR is a hefty legal document and there’s a lot to digest. It cannot be ignored, so we recommend assigning a person in your organisation with the role of Data Protection Officer or hiring an outside consultant to help you.
This person needs to be an expert in data protection and is responsible for evaluating whether you are compliant with the GDPR, what steps you need to take to prepare, and to ensure that other members of your staff are trained.
Head to the following online resources to make sure you are well informed and are fully compliant with the GDPR by May 2018: