“Evolution, not revolution” is the mantra that the Information Commissioner’s Office (“ICO”) has been chanting for some time now as their euphemistic summary of the change the General Data Protection Regulation (“GDPR”) will bring about.
In pure legal terms there is some truth in this but for many of our schools and charity clients it is, however, small consolation for the overhaul of documents, policies and culture they are having to consider.
We have been assisting schools and charities on their data protection evolutions including data audits, risk assessments, data protection officers, privacy notices, legal bases for processing and all manner of weird and wonderful issues. Since our GDPR seminars last September and this February we have also been delivering bespoke GDPR training to boards, senior leadership teams and governors as well as the Boarding School Association’s nationwide ‘Roadshow’.
It is not just organisations which are evolving, the ICO itself has been updating its materials, guidance and thoughts on GDPR compliance and implementation and we summarise below the key updates:
1. What about processing children's data?
The ICO’s consultation on their new draft guidance “Children and the GDPR” closed on 28 February. The guidance is the ICO’s view on what Recital 38 of GDPR – that “children require special protection” – looks like in practice.
All charities and schools who work with children should read this guidance and keep an eye out for the final version. The following sections are essential reading:
- Private notices
- Organisations seeking to process data relying on parental consent
- Situations where organisations wish to rely on the processing being necessary for the performance of a contract.
2. What does 'legitimate interests' mean?
Much of the excitement and panic surrounding reliance on consent for processing people’s data has, it seems, been replaced by a tentative optimism that perhaps ‘legitimate interests’ (“LI”) is the answer to all the sector’s data protection woes.
The ICO published its LI guidance at the end of March, which says that whilst LI “is the most flexible lawful basis for processing… you cannot assume it will always be the most appropriate.”
The guidance also confirms that organisations must carry out a legitimate interests assessment – a light-touch risk assessment – in order to be able to demonstrate that the processing is lawful and that you have considered all the relevant factors. The guidance attaches a sample LIA template which can be accessed following the link.
3. How transparent is transparent?
Transparency, under GDPR, is a fundamental aspect of the First Principle of data protection – that personal data be processed lawfully, fairly and transparently. Transparent processing is also intrinsic to ‘fair’ processing (as required under the First Principle) and the new ‘accountability’ principle of GDPR. But how transparent do you have to be to be transparent?
The EU Article 29 Working Party – which is an advisory body made up of representatives from the data protection authorities of each EU member state – have published guidelines on the transparency principle of GDPR. The guidelines are not binding, but in the context of the ICO’s silence on this principle, it constitutes the best barometer of how the ICO might regulate on issues surrounding transparency.
The ‘evolution’ to ensure transparency of data processing for schools and charities will involve changing how they communicate with data subjects – be they beneficiaries, pupils, parents, users, alumni, donors, staff or volunteers. Changes may need to be made to privacy notices, how individuals’ rights are communicated, when there is a change in the purposes for processing and when breaches occur.
The onus is on the data controller to adopt a “user-centric” approach which makes information easily accessible and avoids drowning data subjects in long legalistic policies – or “information fatigue” as described in the guidelines. This ethical approach to data protection compliance will be a significant culture shift for many organisations.
4. What records of processing do we need to keep?
The ICO published further guidance on its website in January 2018 on what documentation organisations need to keep recording their processing activities.
The guidance includes templates on keeping adequate records – for both controllers and processors – and tips on how these records could be populated and put together.
Whist there is a lighter burden on organisations employing 250 or fewer people, the guidance says “even if you need not document some or all of your processing activities, we think it is still good practice to do so.”
Failure to keep adequate records is a breach of the GDPR but is one of the more straightforward requirements of the regulation which schools and charities – already operating in highly regulated environments – should not find too onerous.
5. Data Protection Officers - do you need one?
This is has been a question many of our school clients have been wrestling with. Do we need to appoint a GDPR Data Protection Officer (“DPO”) and, if not, is there any virtue in appointing one anyway? With new DPO vacancies being advertised online with salaries starting from £30k and anywhere up to £100k+ this is a question which will have serious cost as well as compliance implications.
The simple answer is that we are all waiting for some clearer guidance from the ICO The Article 29 Working Party has published guidelines on DPOs, but the issue of whether schools or charities should appoint a DPO will come down to the judgment of each organisation. Do your “core activities” consist of large scale, regular and systematic processing of personal data? Do your “core activities” consist of large scale processing of special categories of data (relating to health, sex life, religion, etc.)? Whatever your interpretation of your situation, the Article 29 Working Party guidance , sensibly, that the issue should at least be considered and the decision properly documented.
6. Other new (and some less recent) guidance
The EU Article 29 Working Party has also published guidance on:
- conducting Data Protection Impact Assessments
- automated individual decision-making and profiling
- data portability
The ICO have also published guidance on:
- GDPR - the ICO’s general online guidance document
- Preparing for GDPR - "12 steps to take now" - again updated periodically
- "Getting ready for GDPR" checklists for controllers and processors
For further advice on the above topics, please call us on 01483 543210 or alternatively email firstname.lastname@example.org