“Evolution, not revolution” is the mantra that the Information Commissioner’s Office (“ICO”) has been chanting for some time now, as their euphemistic summary of the change the General Data Protection Regulation (“GDPR”) will bring about.
In pure legal terms there is some truth in this but for many of our schools and charity clients it is, however, small consolation for the overhaul of documents, policies and culture they are having to consider.
We have been assisting schools and charities on their data protection evolution including data audits, risk assessments, data protection officers, privacy notices, legal bases for processing and all manner of weird and wonderful issues. Since our GDPR overview seminar in September 2017, we have also been delivering bespoke GDPR training to boards, senior leadership teams and governors as well as the Boarding Schools Association’s nationwide ‘Roadshow’.
It is not just organisations which are evolving, the ICO itself has been updating its materials, guidance and thoughts on GDPR compliance and implementation and we summarise below the key updates.
1. What about processing children's data?
The ICO’s consultation on their new draft guidance “Children and the GDPR” closed on 28 February 2018. The guidance is the ICO’s view on what Recital 38 of GDPR – that “children require special protection” – looks like in practice.
All schools and charities who work with children should read this guidance and keep an eye out for the final version. The following sections are essential reading:
- Private notices
- Organisations seeking to process data relying on parental consent
- Where the processing is necessary for the performance of a contract.
2. What does 'legitimate interests' mean?
Much of the excitement and panic surrounding reliance on consent for processing people’s data has, it seems, been replaced by a tentative optimism that perhaps ‘legitimate interests’ is the answer to all the sector’s data protection woes.
The trouble for schools and charities – and for many advisers – is that the ICO has not issued any guidance on the subject. As such, attempts at informed decision-making on the appropriate legal basis for processing can leave those involved feeling like they are taking a shot in the dark.
For those in the know, the Data Protection Network’s Legitimate Interests Guidance, which was issued in July 2017 and has largely gone under the radar, has been “welcomed” by the ICO and is the closest thing to the ICO’s position that we currently have. It is a must-read for any organisations wishing to rely on ‘legitimate interests’.
3. How transparent is transparent?
Transparency, under GDPR, is a fundamental aspect of the First Principle of data protection – that personal data be processed lawfully, fairly and transparently. Transparent processing is also intrinsic to ‘fair’ processing (as required under the First Principle) and the new ‘accountability’ principle of GDPR. But how transparent do you have to be ‘to be transparent’?
The EU Article 29 Working Party – which is an advisory body made up of representatives from the data protection authorities of each EU member state – have published draft guidelines on the transparency principle of GDPR. The guidelines are not binding, but in the context of the ICO’s silence on this principle, it constitutes the best barometer of how the ICO might regulate on issues surrounding transparency.
The ‘evolution’ to ensure transparency of data processing for schools and charities will involve changing how they communicate with data subjects – be they beneficiaries, pupils, parents, users, alumni, donors, staff or volunteers. Changes may need to be made to privacy notices, how individuals’ rights are communicated, when there is a change in the purposes for processing and when breaches occur.
The onus is on the data controller to adopt a “user-centric” approach which makes information easily accessible and avoids drowning data subjects in long legalistic policies – or “information fatigue” as described in the guidelines. This ethical approach to data protection compliance will be a significant culture shift for many organisations.
4. What records of processing do we need to keep?
The ICO published further guidance on its website in January 2018 on what documentation organisations need to keep recording their processing activities.
The guidance includes templates on keeping adequate record - for both controllers and processors - and tips on how these records could be populated and put together.
Whilst there is a lighter burden on organisations employing 250 or fewer people, the guidance says “even if you need not document some or all of your processing activities, we think it is still good practice to do so.”
Failure to keep adequate records is a breach of the GDPR. Schools and charities already operate in highly regulated environments and this requirement (which is relatively straightforward) should not be too onerous.
5. Data Protection Officers - do you need one?
This is has been a question many of our school clients have been wrestling with. Do we need to appoint a GDPR Data Protection Officer (“DPO”) and, if not, is there any virtue in appointing one anyway? With new DPO vacancies being advertised online with salaries starting from £30k and anywhere up to £100k+ this is a question which will have serious cost as well as compliance implications.
The simple answer is that we are all waiting for some clearer guidance from the ICO. The Article 29 Working Party has published guidelines on DPOs, but the question of whether schools or charities should appoint a DPO will be an issue fact and degree. Do your “core activities” consist of large scale, regular and systematic processing of personal data? Do your “core activities” consist of large scale processing of special categories of data (relating to health, sex life, religion, etc.)? Whatever your interpretation of your situation, the Article 29 Working Party guidance suggests, sensibly, that the issue should at least be considered and the decision properly documented.
6. Other new (and some less recent) guidance
The EU Article 29 Working Party has also published guidance on:
- reporting personal data breaches (at the time of writing in draft form)
- consent (at the time of writing in draft form)
- conducting Data Protection Impact Assessments (at the time of writing in draft form)
- automated individual decision-making and profiling
- data portability
The ICO have also published guidance on:
- consent (at the time of writing in draft form)
- GDPR - a general online guidance document updated peiodically to reflect
- Preparing for GDPR - "12 steps to take now" - again updated periodically
- "Getting ready for GDPR" checklists for controllers and processors
For further advice on the above topics, please call us on 01483 543210 or alternatively email email@example.com