GDPR - are you ready?
On 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect, replacing the existing Data Protection Act (DPA). As we move into a digital age, our personal data, who has access to it, and how it is used, has become a global concern for all businesses and the FE sector is no different. The previous DPA was introduced in 1998 and has become widely irrelevant to the increasing needs and demands of moving to a digital economy hence the introduction of GDPR. Colleges need to be fully aware of firstly, the sheer scope of the new regulation, and secondly, the punitive fines for a breach (DPA breach upper limit fines were £500,000, under GDPR the fines can reach as high as €20m.)
What is it?
The GDPR’s broad remit is to invoke a cultural shift in the way businesses and institutions manage personal data. The EU see it as an essential step to strengthening citizens’ fundamental rights in the digital age and allows individuals to have more control of how their data is used, restricted and stored.
Does Brexit mean we don’t have to comply?
The UK Government has stated that GDPR will still apply in the UK post Brexit. In any case, GDPR is extraterritorial by nature, meaning it applies to EU citizens wherever in the world they may be. A business in France has the same legal obligations to protect EU citizens’ as one in India. As such, this is very much a global agenda.
How to prepare?
The first step is to assess the need for compliance and budget accordingly. A surprising number of businesses have failed to even consider the cost implications of compliance and how to deal with the emerging compliance needs. This is often borne out of lack of information/understanding on GDPR and lack of expert leadership to help them meet the requirements. The UK is also lagging behind its peer countries as a number of the new practices arising from GDPR have already long been commonplace in countries like Germany, but are completely new concepts to UK. Thus achieving compliance by May 2018 is a much more burdensome timeframe for the UK to meet.
Budgeting for GDPR will include recruiting, hiring and training personnel and this will often start with the appointment of a data protection officer – a number of Colleges are likely to have capacity to train for this role from within. Resources will also need to be spent to ensure proper data management policies (documenting why information is held, how it is collected, when it may be deleted or anonymised, and who may gain access to it) and agreements are put in place for individuals to sign up to regarding collection of their data.
Colleges will also need to have comprehensive reporting policies where there are security breaches. GDPR introduces a blanket policy on reporting breaches to the Information Commissioner Office (ICO) within 72 hours where there is a risk to affected individuals. As such, policies will need to cover how to detect, investigate, respond and report data breaches where they occur.
Evidently, the GDPR means varying degrees of work and resource invested in Colleges – however, it is expected that its introduction will benefit both individuals and organisations through better security, better understanding of information and more accurate information. With the correct approach and early preparation, Colleges should be able to meet the GDPR requirements without significant issue.
MHA MacIntyre Hudson’s internal audit team is well versed with the requirements of GDPR and would welcome an informal discussion to ensure Colleges are on the right track to stay on the right side of GDPR and avoid potential pitfalls of the new regulation. Please get in touch with our internal audit team to find out more about GDPR.