Andrew Cormack is Chief Regulatory Adviser at Jisc.
As the world moves into an ever more digital direction, our personal data, how it is used and who has access to it has become a concern. To tackle the issue, the law on data protection will change across Europe in just under one year, on 25th May, 2018.
The General Data Protection Regulation (GDPR), will replace the old Data Protection Act (DPA). With a broad aim to invoke a cultural shift in the way businesses and institutions manage personal data, the new law has been hailed by the EU as an essential step to strengthening citizens’ fundamental rights in the digital age. It will allow individuals to object to certain forms of data processing and have their personal data corrected, deleted and its use restricted.
The UK government has confirmed that the GDPR will apply within the UK even after Brexit and its wide-ranging implications mean that universities should already be making preparations for it now.
The biggest change is that institutions will be held far more accountable for the data they hold on individuals. As well as records of what personal data exist within the organisation, the GDPR requires a documented evidence of why information is held, how it is collected, when it will be deleted or anonymised, and who may gain access to it. This information lifecycle approach is also fundamental to international standards on quality and information security, so should contribute to institutions’ achieving those goals as well as to compliance with the regulation.
Universities are still required to apply appropriate organisational and technical measures to keep information secure and there are new duties to report security breaches to the Information Commissioner’ Office (ICO) and, in some cases, to the individuals affected. Planning what to do in case of an incident could well be done as part of developing information lifecycles.
The GDPR introduces new requirements on the way new information-handling processes and systems are developed. Data protection must be designed in from the start; systems must have default settings that protect privacy. For large-scale or risky processing, formal data protection impact assessments must be performed as part of the design process. Draft guidance from European regulators suggests that this “data protection by design” approach should be extended to existing systems within three years.
Where institutions rely on consent to process individuals’ personal data, they must be able to demonstrate that this consent was “freely given, specific, informed and unambiguous”. For example, the common practice in the services sector of making access to public Wi-Fi conditional on granting consent to receive marketing information will no longer be lawful, since the two actions are unrelated.
Designed to reduce the overuse of consent, this change may well require universities to consider whether data collection and processing is necessary under another legal basis – contract, legal obligation, vital interests, public interest, or legitimate interest of the organisation – and, if so, adjust processes to meet the relevant requirements.
Finally, breaches of data protection are already becoming more damaging to organisations. Recent failures of security and inappropriate practices by businesses and charities have been widely publicised and criticised, damaging the reputations of the affected organisations and raising questions for their entire sector. The GDPR is intended to increase individuals’ awareness of their rights, so organisations handling personal data are likely to face higher expectations. And fines for breaches are likely to increase, too, as the GDPR raises the upper limit from the UK’s current £500,000 to as much as €20 million.
Several of the required changes – notably the information lifecycle audit and the adoption of data protection by design – are likely to be time-consuming. Institutions should have already started work on those but, failing that, the sooner work starts on planning, the better. Raise awareness throughout the institution and ensure key people and decision makers are aware of the law change. The larger the institution, the more resource implications there are likely to be when implementing the GDPR, so it is important to use the rest of the lead-in period effectively.
Know what information is held, what it is used for, where it came from and with whom it is shared. Consider what is to be done if a security breach occurred. This will bring an institution in line with the GDPR’s accountability principle, which requires proof of how data protection values are complied with. Conducting an information lifecycle audit might be a good idea.
Having someone take responsibility for compliance with the GDPR will make things a lot easier, and may even be a legal requirement. With the relevant knowledge and authority, a DPO can provide support to others and oversee a smooth transition. The Article 29 Working Party of Data Protection Regulators has published draft guidance on DPOs here.
Under the GDPR there are some additional details people must be told when obtaining their personal data: the legal basis for processing the data, the retention period and the individual’s right to complain to the ICO if they think there is an issue with the way their personal info is handled. This is usually by way of a privacy notice, so review the notice and put a plan in place to make any necessary changes. The ICO sets out the minimum information a privacy notice should contain here.
Under the GDPR, individuals’ rights have been enhanced. These include rights to:
Effective implementation of these rights should also improve the quality of the institution’s data and processes. Institutions would be wise to give the above scenarios a dress rehearsal on systems before the GDPR takes effect. The ICO has more information on these rights here.
The way institutions seek, obtain and record consent to process personal data is likely to come under scrutiny under the GDPR, so a review of current practices is essential. Consent must be freely given, specific, informed and be a positive indication of agreement – not inferred from silence or inactivity. An alteration in mechanisms that record consent to data processing may be necessary in order to make proving consent easier. Our analysis of the ICO’s draft guidance on consent is here.
The GDPR will introduce a blanket policy for all organisations, obliging them to inform the ICO within 72 hours of suffering a personal data breach, whenever this creates a risk to the affected individuals. For serious risks, such as an identity theft or financial loss, organisations may also need to inform individuals directly.
Institutions must ensure they have the right procedures in place to detect, investigate and respond to a personal data breach when one occurs. Start by identifying the types of data held and note the ones that, if jeopardised, would necessitate contacting the ICO. The UK Commissioner has already fined organisations, under existing laws, for poor handling of data breaches. These fines seem likely to increase considerably under the GDPR. The ICO has more information on breach notification here.
The GDPR will change a lot of the rules, regulations and processes surrounding the collection, processing and protection of personal data. In many cases these changes will benefit both individuals and organisations; better understanding of information flows, more accurate information, and improved security will help everyone.
While the upheaval and reorganisation required to come in line with the new regulation will be a burden for institutions throughout the EU, the reasons behind it and its results will be beneficial to all. With enough preparation, resources, knowledge and initiative, universities should have few problems come May 2018.
For more information, Jisc has produced a quick guide.