GDPR comes into force 25th May 2018 . . . are your ready?
The General Data Protection Regulation (GDPR) (Regulation (E.U.) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (E.U.).
At the same time it will ensure schools themselves have a clear and dependable set of rules when handling data.
Ratified in April 2016 the regulation will replace the Data Protection Act 1998 and cover the capture, control and consent to use personal information. In simple terms, GDPR is an enhanced version of the Data Protection Act 2018 covering any company inside or outside the E.U., that offers goods and services to European citizens. It’s highly likely your organization must comply with GDPR.
In 2018 the UK will still be an E.U. member state and must comply with the regulation. When Brexit happens, in order to be a tradeable nation we will still need to comply as will any country outside of the E.U. who wants to trade within it. The intention of the regulation is clear. It is in place to protect personal information and puts the responsibility of protecting the personal data of employees, students and parents firmly on the shoulders of your school.
- Much larger fines for none compliance/ none readiness / actual data loss – currently UK fines are a maximum of £500,000
- The right to Erasure and be forgotten – the subject has a right to withdraw consent for companies to hold their data at any time.
- Timely Breach notification – within 72 hours of data loss. Expanded territorial scope - all data controllers and processors are subject to the GDPR if the operate within the E.U. or hold data on E.U. citizens.
- Consent will be harder to get – subjects must now opt in to having data held on them rather than opting out as previously and must be provable as a clear affirmative action.
- Plus more . . .
The GDPR will replace the Data Protection Act in May 2018 and will effect every school who processes data on vulnerable individuals who are deserving of protection. On the 25th May 2018 when the regulation comes into effect it’s NOT a gradual phasing in. You could be prosecuted for single violation and suffer either financially, or by damaged reputation. Are you a charity, health organisation, business, school, marketing agency, website? It doesn’t matter, to be fair, if you hold or manage data on any E.U. citizen getting compliant and ensuring continued compliance should be your priority.
GDPR doesn’t take your budget as an excuse for non-compliance – but can you afford not to be compliant.
OK you have scared me, what should I do about it? Our job isn’t to scare you, or direct you down paths that are not good for your school. Our job is to support you, to keep you secure as much as we possibly can with the resources we have at hand, but we can’t do that alone. YOU have to take responsibility for your data both externally and internally.
You can download our full GDPR guide here.
This information is not exhaustive. It is designed to get you thinking, to get you on the road to compliance and to help us help you make your business secure. We are not experts in GDPR but we are experts in I.T. If you need help or advice preparing your business or school to be secure now and for future years whether it be encryption, web filtering, multi factor authentication, data backup, email security or any of the other endless security concerns then please call 01326 379 497 or email firstname.lastname@example.org
To find out more about GDPR training provided by NCI please click here.