The GDPR is a comprehensive European regulation which will replace the current Data Protection Act (DPA). Despite Brexit, the Government has confirmed that the GDPR will apply from 25 May 2018.
The risks of non-compliance are significantly greater under the GDPR than under the DPA. For example, maximum fines have increased to the higher of €20 million or 4% of turnover. Here are some of the practical changes which the GDPR will introduce:
The GDPR contains extensive requirements around record keeping and being able to show a paper trail of compliance. Academies will also be required to include additional information in their privacy notices, for example, there will be a requirement to inform individuals about their right to complain to the ICO (the data protection regulator).
The GDPR will also require academies to carry out privacy impact assessments for certain data handling activities. It is also likely (subject to further clarification and implementation) that academies will be required to have a Data Protection Officer.
The GDPR expands on the obligation to take appropriate technical and organisational measures to keep personal data safe, and also creates a new obligation to report certain data breaches to the ICO.
Academies will need to check that their contracts with data processors (i.e., any third party who handles personal data on behalf of the academy such as certain IT suppliers) contain the mandatory wording required by the GDPR.
The GDPR makes some changes to subject access requests, including shortening the time period to respond. It also introduces various new rights, such the 'right to be forgotten', which will require academies to delete data in certain situations.
The GDPR will also introduce a more restrictive definition of consent. This is particularly relevant to fundraising communications and therefore academies will need to check that their consent forms (e.g., for alumni) are GDPR compliant.