With the General Data Protection Regulation (GDPR) rolling out in May 2018, you’ve probably heard of it through the grapevine because of the hefty fines and repercussions associated with not being GDPR compliant. Since the GDPR is going to apply to a majority of organizations across the globe, you definitely don’t want to be one of the unlucky few that are hit by a penalty.
This article covers the most important points of the GDPR and how it applies to international schools. Before we begin, here’s a little legal disclaimer:
This article is not legal advice for your organization to use in complying with data privacy laws like the GDPR. IMPACT provides this article as a resource to help you better understand the background information of some of the most important points in the GDPR.
This information does not replace the advice of an attorney. If your company or international school is seeking legal advice for following the GDPR guidelines, then your best bet is to speak with an attorney who can apply the laws to your unique situation.
What is the GDPR?
The GDPR is a regulation that is going to replace the EU’s current data protection regulation. The EU regulation that the GDPR is going to replace is called the EU Data Protection Directive (DPD), which was first introduced in 1995.
The GDPR is replacing the DPD and will be updating some fundamental privacy principles. The DPD has eight principles that the GDPR builds on:
- Obtain and process personal data fairly
- Keep it for one or more specific purposes
- Process it in ways that are related to the purposes initially given
- Keep it safe and secure
- Keep it accurate and up to date
- Data must be adequate, relevant, but not excessive to privacy
- Retain data no longer than necessary
- Provide a copy of the individual's personal data on request
All EU states are protected by the GDPR. If your school is collecting data or monitoring the behavior of individuals within the EU, then the GDPR still applies to you. Even if your business operates outside of the EU, you’re still responsible for protecting the data of EU citizens.
So, what should your school do before the GDPR comes into full effect?
The most important changes brought by the GDPR
First, we need to understand that the GDPR was created to update the DPD and put the end-user in mind. Emerging technologies, new platforms, and organizations are frequently collecting information from users, so the GDPR adds another layer of security for the data that is collected.
Sumo, an email marketing application, found that in the last two years they helped customers acquire 3 million email addresses. Recent news about Facebook said that the personal information of 87 million users was shared with Cambridge Analytica (a political consultancy).
If you think back to all the email lists or subscriptions you’ve signed up for, then you’ll probably realize that your personal information is in the hands of multiple organizations. The most important changes brought by the GDPR are an increased level of consent, data subject rights, and privacy protection requirements.
Organizations that collect data are required to collect the information of EU citizens ethically and uphold higher security standards.
Consent Required from Individuals
The GDPR states that your school or organization is the controller of the individual’s data. As a controller, you have to make sure that the user has given crystal clear consent to collecting their data. This has always been the case with the DPD, but the GDPR takes the definition of consent to another level.
Consent cannot be implied. Consent can only be given if the data subject (user) agrees to giving their data by “a statement or a clear affirmative action.”
What is a clear affirmative action?
It could be submitting their child’s application. Submitting an application for their child could show that they have accepted to submit their data so that they can enroll their child in your school. Another clear affirmative action could be when a data subject fills out your school’s “contact us” or “inquiry” form.
What is a statement that shows consent?
A statement could be a check box indicating that they “agree with submitting the collected data in the form.” This could mean that you have to go through your school’s data collection forms and add a checkbox that asks for consent.
The most important thing about these checkboxes is that they cannot be pre-ticked for the user. Agreement cannot be collected through inactivity either (e.g. the user agrees to submitting their data if the page times out). Consent is 100% initiated by the data subject.
As briefed by the UK’s Information Commissioner’s Office (ICO), the GDPR sets higher standards for consent. Consent requirements, as stated by the ICO, under the GDPR are as follows:
- Consent should be separate from other terms and conditions
- It should not generally be a precondition of signing up to a service
- The GDPR specifically bans pre-ticked opt-in boxes
- It requires granular consent for distinct processing operations
- You must keep clear records to demonstrate consent
- The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
Cookies are a small text file stored on a user’s device and is considered personal information. A simple statement is not considered agreement or consent. Doing this gives the user no choice but to accept the cookies. There has to be a clear choice between accepting or rejecting the cookies if you are using this message on your site.
The best way to get consent for cookies is to make sure your website or content management system (CMS):
- Tells users you are using cookies
- Explains what the cookies are for
- Asks for consent to store a cookie on their device
Getting this to work on your site is as simple as embedding a free and open source code.
New Data Control Rights for Individuals
Data subjects have two new data control rights. Users have the right to be forgotten and the right to data portability. The right to be forgotten means that data subjects can request to have their data deleted. As a controller, the GDPR states that you need to comply with this request. A right to data portability means that data subjects can demand a copy of their own data.
Subject Access Requests
The timeframe a controller has to follow in the event of a data access request initiated by the subject will change. A data access request can be a request to delete or provide a copy of the subject’s data. The GDPR gives controllers a maximum of 30 days to satisfy the request of the subject. This is a process that needs to be discussed by all members of your faculty, ask your team who will handle all of these requests.
Notifying Subjects of Data Breaches
In light of the Facebook data leak, it has become apparent that users have the right and desire to be notified about a data breach. To avoid a data leak, your school needs the right systems and security in place to protect the privacy and personal information of families.
Even a simple mistake, such as forwarding an email with personal data, is considered a data breach. In the event of a data breach, your duty as a controller is to notify the affected data subjects. Your school has 72 hours to report that a breach has occurred, otherwise you are subject to a hefty fine.
The GDPR enforces a €20 million fine or 4% of the organization’s global annual revenue. You can avoid paying this fine by alerting data subjects within 72 hours. A data breach is unfortunate; however, you do not want to let time slip by. Be proactive and notify your users right away.
Building Privacy Through Design
Your school should consider designing privacy protection from the ground up. Any technologies your school uses such as a CRM system, website CMS, email marketing software, and other programs that involve collecting or using user data are classified as data processors.
A data processor takes the subject’s data and collects it. One thing about using data processors or third-party software is that they are not entirely liable for the security of the user’s data. Their job as a processor is to collect data with the controller’s instruction. That means the third-party application collects the data on your behalf using your school’s methodologies for obtaining consent.
Your school’s technological infrastructure should have the GDPR in mind – so all technologies will need to be adapted to follow your school’s way of complying with the GDPR.
Picking one Entity to Oversee Compliance
Your school may be the only entity that has to follow the GDPR. If your school falls within the umbrella of a bigger organization, then the GDPR allows one lead entity to enforce the entire organization’s compliance. That means your school might be following the GDPR, but another school in the same entity might not. If a data breach occurs at the school that is not GDPR compliant, then the entire organization gets dinged for a data breach.
It should be the lead entity’s job to ensure that all organizations below it are following the GDPR guidelines.
What Should your International School do About the GDPR?
The ICO has put together a document that outlines the 12 steps towards becoming GDPR compliant. Since the ICO is the authority in data protection and privacy for individuals in the UK and EU, the 12 steps they have provided are your best bet in regards to following a framework.
To prepare your school for the GDPR, the ICO’s 12 steps are:
- Audit the information you hold
- Communicate privacy information
- Follow the individuals’ rights
- Be ready for subject access requests
- Identify lawful basis for processing personal data
- Review your consent process
- Think about the data of children
- Create and follow a procedure for data breaches
- Adopt a privacy by design approach
- Designate a data protection officer
- Determine the main supervisor for your entire organization
Following the 12 steps above should help your entire school become aware and compliant of the GDPR. The most important step to take is to consult with an attorney. An attorney will be able to speak with your international school on complying with the GDPR given your school’s unique situation. No article or video will replace the effectiveness of consulting with an attorney.
Why the GDPR Takes us all a Step Forward
We get it, the introduction of the GDPR might seem like it’s given you a ton of work. What we need to remember is that the GDPR was created to protect people and their sensitive information. As a school, you’re managing the data of both adults and their children. These individuals have instilled a trust in your organization to protect their data and use it for their intended purposes.
The GDPR builds trust and transparency with your audience. A school that is GDPR compliant is a school that is transparent and ethical. Communicating data collection is kind of like talking about freedom of speech or human rights. Asking for permission to collect data is a task that most people feel uncomfortable about, but it’s a necessity for the greater good.
You might feel that the GDPR could hurt your application or enrollment rate. The truth is, it’s the complete opposite.
Higher standards for collecting and protecting personal data means a safer environment for families and their children. Your prospective and existing families will rest easy knowing that their personal data is in good hands.