GDPR addresses the changing landscape of personal data in a digital age.
The UEA email incident may be one of the first reported data breaches within Higher Education but it surely won’t be the last unless universities take the implementation of GDPR seriously. As the largest legislation change to UK law in recent years, GDPR addresses the changing landscape of personal data in a digital age and will come in to effect 25th May 2018. It is imperative that the Higher Education sector prepare for this.
Universities, along with all other organisations in the UK, need to follow a structured process for dealing with these changes. These should include:
1 – Spread the word
Raise awareness. Make sure your VC’s, Executive Boards, Deans, Academics and Lecturers are aware that the current Data Protection Law is changing to GDPR on 25th May 2018 and how it will affect your university. Who will be your Data Protection Officer and do you know the requirements for the role?
2 – Know the rules
3 – Check your data
It’s a good time to carry out an audit to establish what personal data is held on students, alumni and staff. Where is it from and how long have you had it? Do they know you collect it, how you use it or which organisations it is shared with?
4 – Know their rights
Check you have compliance processes to cover all the rights individuals have under GDPR. These include how you edit, electronically transport, securely store, correct, retain and delete their personal data. All requests for personal data must be supplied in an appropriate format.
5 – Update your policies
Plan how you will handle requests within the new GDPR timescales and provide these free of charge. This can include requests from students and teaching staff regarding CCTV, surveillance technologies, photos, attendance records and digital information held on social media, educational websites and apps.
6 – Prepare for breakdown
Make sure you have procedures in place to detect, report and investigate potential data breaches. If a breach occurs, it may need to be reported to any students or staff affected within GDPR’s strict specified time periods.
As we edge ever closer to the implementation of GDPR it is evident education establishments across the UK must act and implement change. Clarity and transparency will be central to prove how consent was gained, along with detailed data management and storage policies. These should cover the process from all the angles – and have student privacy and rights built into its very core.
Originally published on GDPR.Report.