At the moment, UK data protection obligations are primarily governed by the Data Protection Act 1998. However, there’s a new law coming into force that could impact your academy if you don’t act now and prepare for it.
Later in 2016, a major overhaul of the EU data protection laws will come into force that will necessarily lead to a change in business processes and potentially much higher financial penalties for breaches of the rules.
The key impacts and considerations for your academy are:
- fines up to €100m or 5 per cent of annual income;
- enforcement regime instead of self-regulation and education;
- explicit consent for data collection, data usage and marketing;
- individual right to claim compensation and a simplified process for compensation claims; and
- ‘the right to be forgotten’ - whereby individuals must be provided with the option to have their data deleted.
What are the implications for your academy?
Fines and compensation
The risk of fines and compensation claims is increased given the amplified number of areas where academies may fail to comply, and therefore there will be an onus on you to prove consent regarding the process of obtaining personal information. This should be achieved by making the language simple, not hiding information in privacy statements, making the sign-up process clear for data input requirements. Moreover, the need for assurance that the security of systems is adequate to help mitigate confidentiality breaches becomes increasingly important.
In relation to the point above, consent of individuals is generally needed in order to process their personal data lawfully. It has proved difficult for many organisations to develop practical methods of compliance, particularly for online requirements. However, instead of seeking to simplify this problem, the draft regulation proposes to raise the bar for consent so that it must be ‘explicit’ in all cases, regardless of context. This will almost certainly make it even more difficult for academies to be confident of having achieved compliance.
Academies are free to adopt a risk-based approach to compliance at the moment. However, under the proposed regulation, detailed records documenting compliance measures would have to be maintained at all times, regardless of the actual risk to personal data (failure to do so could lead to a fine). Academies will have to appoint internal data protection officers to oversee and monitor compliance. The Information Commissioner’s Office will have to be promptly notified in the event of any data security breach. There will also be updated rules on the transfer of personal data outside of Europe which may be particularly relevant for any overseas students.
These issues clearly will lead to additional processes and resource requirements and it is important that organisations approach these challenges in the right way to ensure significant additional costs are not incurred.
What do you need to do ahead of the new regulation?
The Act is anticipated to come into force towards the end of 2016, which doesn’t give you long to change how you work, to replace data, to change websites, amend contracts, terms and conditions and privacy policies. It is therefore important that you take the time now to understand the changes which are underway and how they will affect how your school.
IT systems and business processes need to be considered in relation to methods for obtaining consent for personal data. These may need to be changed as well as the steps needed to facilitate both the portability and permanent deletion of data. It may be better to wait until there is greater certainty and clarity before going ahead with major new system implementations. Where this is not practical, try to ensure that systems have some flexibility to meet changing conditions and make provisions for additional implementation costs.
New requirements for portability and deletion of data
Students and other individuals will have a new right to demand a file of their personal data. They will also have the right to insist that all data about them is deleted. Academies will have to set up new processes that facilitate these rights – and there is considerable uncertainty over what steps they will be obliged to take in practice. This clearly has far reaching implications on organisational processes and the subsequent need for a robust information management system to manage data overall.
Estimates of the possible cost/benefit are certainly being debated. Our view is that, compared with the existing regime, there are likely to be significant additional costs for all organisations, including:
- a substantial one-off cost from the need to revise compliance procedures, redesign IT systems such as customer databases, CRM systems and e-commerce software and review/update legacy data to meet the new requirements outlined above – particularly the new definition of consent, data portability and ‘the right to be forgotten’; and
- increased on-going costs as a result of a significantly more onerous and bureaucratic regulatory regime, including the appointment of ‘data protection officers’.
There is a lot to consider ahead of the new act coming into place. We currently work with a number of academies, assisting them to manage their data risks and help ensure compliance with regulatory obligations.
Our readiness assessment is specifically designed to help organisations safeguard that their internal processes are adapted and re-designed to meet the new legislative requirements, whilst minimising costs in doing so. By being prepared for the changes in legislation ahead of its implementation is imperative to avoid the risk of substantial fines.
If you would like to discuss this in greater detail, please get in touch with Mike Cheetham.