Welcome to Gecko's GDPR series
In order to ensure that we cover every aspect of GDPR as clearly as possible, we have broken down the legislation into individual articles covering specific areas.
Article 5 defines the main principles relating to the processing of personal data such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
What is GDPR ?
The EU general data protection regulation 2016/679, known as GDPR is the latest and greatest in data protection policies to come out of the EU parliament. It is meant to replace The Data Protection Act of 1998 to ensure the safety and privacy of individuals within the EU when it comes to how their personal information is processed.
Key GDPR Terminology:
Data Subject - a person whose personal data you're processing (e.g. the student).
Personal Data - any information relating to an identified or identifiable natural person (name, email, address, IP address).
Processing - any action on the data (collecting, organising, editing, deleting).
Controller - someone who determines the purposes and means of the processing of personal data (the university).
Processor - whoever processes the data on behalf of a controller (e.g. Gecko).
Why is GDPR needed?
The DPA was written at a time when the internet looked like this:
Today, the average adult in the UK spends nearly nine hours of each day on media and communication, outstripping even the amount of time spent sleeping or doing other vital tasks, according to the latest figures from Ofcom. In order to keep up, the EU had to lay down rules for the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data within the union.
When will GDPR be enforceable?
GDPR becomes enforceable on the 25th May 2018. There's a handy countdown on this page.
Who needs to comply?
In short, all educational institutions that offer services to individuals located in the EU will be required to comply.
If you are an institution that collects or stores, manually or by automated means, any personally identifiable information on students, prospects, alumni or members of faculty who are located in the European Union, you will need to comply with the regulation.
There's quite a lot to process in the statement above. Let's break it down:
If you are an institution...
Processing data by individuals for personal use does not fall within the scope of GDPR. A business or academic institution however will fall within the scope of GDPR. [Article 2]
... that collects or stores ...
GDPR applies to the data processing, which is defined as any operation, automated or manual, performed on personal data such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction. [Article 4]
... manually or by automated means ...
Any processing of data, whether manual or automated will need to be done in a GDPR complaint manner if it is intended to form part of a filing system. [Article 2]
This means that, no matter whether you use a web form or a sheet of paper to collect someone's contact details, if your intentions are to store that information in a folder, drawer, spreadsheet or CRM, you will need to comply with the rules outlined in the GDPR. If your plan to deal with GDPR was to turn Amish, avoid technology and start using paper to collect data, the reality is that it will not save you from your obligations to comply. In fact, if your organisation is currently using a paper-based system for storing student's personal data, now would be the time to go digital as some of the recommendations under GDPR can only be complied with if data is stored digitally. We will go through all of the advised measures in subsequent articles within this series.
...personally identifiable information...
Personal data is any information that can help identify a specific individual, such as name, contact data, location data, online identifiers such IP addresses, etc.
... on students, prospects, alumni or members of faculty ...
As a higher education institution, you will be processing information on a wide range of stakeholders, such as current students, prospects, alumni, leads, partners, employees, suppliers, contractors, etc. Any individual whose personal information you have on record is considered a 'data subject' under GDPR, with full rights under the act and on whose behalf your organisation is fully accountable in terms of how their information is handled and stored. For the purposes of these guides, we will mainly be narrowing down the scope of our articles to focus on students as the primary data subjects. However, it is important to remember that GDPR goes beyond that and appropriate action is needed across the organisation.
... who are located in the European Union ...
GDPR applies to any organisation established in the EU or who is offering services to individuals located in the EU. If your service is available to individuals in the European Union, you are required to comply. This means that whether your organisation is based outside the European Union, or if the country in which you operate is undergoing an exit from the EU, is irrelevant as long as your services are offered to individuals in the union. [Article 3]
... you will need to comply with the regulation.
Currently, all organisations in the UK that collect, process or store personal information must comply with the Data Protection Act 1998, or face fines of up to £500,000 in the event of a data breach.
The DPA will soon be superseded by the EU General Data Protection Regulation, which prescribes considerably greater penalties – up to 4% of annual global turnover or €20 million.
Any questions? Feel free to start a live chat with a member of our support team or explore the rest of our academy at your leisure.