GDPR is the European Union’s General Data Protection Regulation and will be effective in the UK. GDPR together with the new Data Protection Bill will replace the existing data protection laws in the UK. Under the new laws there will be tougher fines for non-compliance and breaches, and individuals will have more say over what companies can do with their data.
What is new?
There are new rights for people to access the information that organisations hold about them, obligations for better data management for businesses, and a new regime of fines. An individual can access this data by filing a Subject Access Request (see link below).
There are six key differences between GDPR and the Data Protection Act (DPA):
1. Personal Data Refined – broader definition to reflect changes in technology and the way that companies collect information about people. An example would be where individuals must opt in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent, and consent must be able to be withdrawn at any time.
2. Individual Rights – better control over data (consents to become informed, specific and unambiguous, data subject has a right to receive information on how the data will be used, right to be forgotten when the personal data is no longer relevant, right to transfer the data from one service provider to another).
3. Data Controllers vs Data Processors – Data processor will need to have a contract with the data controller to process the data. As well as the data controller, the data processor will be liable for the security of personal data (organisations with fewer than 250 employees do not have to maintain records of processing, whether they are a controller or a processor).
4. Information Governance and Security – a general obligation to implement technical and organisational measures to show that we have considered and integrated data protection in to our processing activities. Privacy by design also requires that controllers discard personal data when it is no longer required. Data Impact Assessment required for all large processing.
5. Data Breach Notification and Penalties – data controllers will be required to notify the supervisory authority of a personal data breach within 72 hours of learning about the breach, the likely consequences of the breach, and what the controller has done to address and mitigate the breach. A data processor is required to notify a controller of the data breach “without undue delay”.
6. Global Impact – The GDPR applies to the processing of personal data of subjects located in the European Union, even if the controller or processor is not established in the European Union.
Why does this matter?
As a school, we handle a large volume of personal data on a day-to-day basis therefore it is extremely important that we are all aware and ready for the introduction of the new legislation.
How will we achieve compliance?
The work that is currently being undertaken to ensure our compliance is made up of assessment to fully understand our existing personal data processing activity and focused activity to ensure we reach compliance to GDPR.
- Actively engaging with outside companies and ensuring they are working towards being GDPR compliant.
- Reviewing our activities and associated policies and procedures as necessary to fully comply with GDPR following a thorough assessment.
- Carrying out necessary Privacy Impact Assessments.
The key terms
GDPR and other data protection laws rely on the term ‘personal data’ to discuss information about individuals. There are two key types of personal data in the UK and they cover different categories of information.
What is personal data?
Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.
What is considered sensitive personal data?
GDPR classes sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
If you have any questions, please contact firstname.lastname@example.org and we will endeavor to respond at the earliest opportunity.
Please click on the relevant link below to download a PDF version of each of our school GDPR policies.