What is GDPR? And how will it affect FE?
Put simply, GDPR (general data protection regulation) is a new set of rules to give people more control over their personal data.
In today's world, almost every aspect of our lives resolves around data. Think about banks, shops, social media, even getting your hair done – we share personal data in most transactions. This means information like your name, address, credit card details, shopping preferences and more are collected, analysed and stored by organisations around the world.
What is GDPR?
GDPR is a set of principles all data controllers (who owns data) and data processors (anyone who holds this data) must comply with. They must gather data in a legal way and process it without misuse or exploitation – or face large penalties. These are the 6 main GDPR principles:
Personal data should be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed
- Processed in a manner that ensures appropriate security of the personal data
This is a lot to take in, but it basically means that companies have to have permission to contact people and collect data. GDPR outlines the specific rights that ensure individuals are in control of their personal data, can request a copy of their data at any time, and can ask for it to be deleted.
GDPR will also mean individuals have to give consent before organisations can contact them – putting an end to random direct mail and companies selling data on to others.
For an in-depth look at OneFile's GDPR policies, download our FAQs.
Who does GDPR apply to?
GDPR came into force on 25th May 2018 and applies to all organisations in all EU member states.
Even though the UK is set to leave the EU in March 2019, the UK Government has said that GDPR will stand after Brexit. It will help strengthen data protection across the UK and make it easier for UK organisations to work with European partners.
What counts as personal data in FE?
GDPR will affect all schools, colleges, training providers and universities in the UK. Although you may not see yourself as data carriers, all the personal data you store about staff and students must comply with GDPR: names, addresses, medical histories, attendance records, grades, reviews – all this information counts as personal data.
Under GDPR, all data that can be used to identify an individual counts as personal data. Find out more here.
How does GDPR affect me?
As an individual, you don't have to worry too much about GDPR. But as a college, training provider or employer, you're a data controller, so you'll need to think about how you handle the personal data of students, staff and customers. You must make sure you have the systems and processes in place to fulfil requests made by individuals – such as data deletion or extraction. To do this, you'll need to examine how data is managed and stored, and whether you use data for any reason than what it was explicitly collected for.
You'll also need to make sure all contracts with data processors are GDPR compliant – and that's where we come in. OneFile is a data processor or sub-processer – so if you're a OneFile customer, you need to know that we're compliant to be compliant yourself.
What has OneFile done to prepare?
At OneFile, we always take information security seriously – which is why we're ISO27001 certified. It also means we've had a handle on GDPR for a while now and have updated all our policies in-line with GDPR requirements. This means we've updated how we collect, manage and store data, upgraded our data servers, and brought all staff up to speed with the new regulations.
We're also keeping a close eye on the ongoing guidance published by the Information Commissioner and will keep you updated of further changes.
For an in-depth look at OneFile's GDPR policies, download our FAQs. They outline exactly how OneFile complies with the GDPR principles as a data processor, and this impacts you as a data controller.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.
This article includes research and opinion sourced by OneFile at the time of publication. Things may have changed since then,
so this research is to be used at the reader's discretion. OneFile is not liable for any action taken based on this research.