One of the many myths around General Data Protection Regulations (GDPR) is that schools and other organisations will be able to use standard templates for their privacy statements. Sadly, this is not the case. At the moment, controllers (organisations that process our personal information, whether we be staff, students or suppliers) have to inform the Information Commissioner’s Office that we are such an organisation and the general purposes for processing said information, for whom, things are changing going forward. Instead of notifying the ICO, every controller will need to clearly advise any individual for whom they process their personal information.
“The individual has the right to be informed about the specified, explicit and legitimate purpose for their information.”
The controller must, therefore, carefully consider what purpose or purposes the personal information will be used for. They must not collect personal information if it’s not necessary, adequate or relevant for the purpose or purposes which are intended to be served. Purpose specification lies at the core of the legal framework established for the protection of personal data in order to determine whether processing of information complies with the law, and to establish which data protection safeguards should be applied. This is to ensure that the data is not processed for any other purposes than the individual has been informed about. A purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.
Each school will do things differently. Their purposes will differ from other schools. The description of the purposes will be different. The flow of information will take different routes for each school across their own physical filing systems and IT systems. Therefore, the notice to the individual will be different for each school.
This is why GDPR is so complex. If you look at a bell curve, those on the left know little about GDPR, whilst those on the right are experts – the risk of dealing with either is low (someone who knows nothing about GDPR will tell you – and the expert will be clear why they are an expert). However, everyone in-between is a high risk – they think they know, but they don’t, and consulting with them increases the risk of you doing the wrong thing regarding your own GDPR compliance journey.
As a data protection officer (DPO) to a FTSE 100, providing DPO services and other GDPR services to various schools (all types, including SEN), local authorities, banks, professional services, and others, our team have come across examples in every sector of bad practice. In these examples, would-be experts, perhaps with a background of IT security or governance / risk / compliance, have jumped on the bandwagon, with disastrous consequences. These include: funds misspent and increased risks of future breaches of data protection legislation (not just GDPR).
Those risks include potential damages sought in civil court cases, as well as fines and enforcement orders from the ICO. The likelihood of being on the wrong end of a complaint from a disgruntled member of staff, student or supplier, is perhaps reflected in the 17,000 investigations by the ICO over the last 12 months. One of the reasons why only 16 organisations received a fine was that ‘accountability’ (i.e. the need to demonstrate compliance in advance – i.e. write it down) is not currently enshrined in the Data Protection Act. Under GDPR, it is. That means that unless all GDPR compliance evidence is documented, that’s an automatic breach. So the ICO are going to have less opportunity to turn a blind eye and just suggest some improvements. Also, given the fines are increasing from £500,000 to £17,000,000, no matter how “dissuasive, proportionate, and effective” the fine, it’s going to be a proportion of a much larger number.
You have been warned. There’s less than 6 months to go in order to get compliant. You’ll need to review every supplier contract and schedule you have. You’ll need to reword every privacy statement. You’ll need to review every employee contract. You can only do that after some serious preparatory work. It’s still possible. But with expert advice. Contact priviness.eu to find out how.
Sandy Gilchrist, Director, Priviness