Regardless of how small your company is, if you collect and store personal data you are in scope for GDPR compliance!
General Data Protection Regulation (GDPR)
Basically personal data about your staff and your learners needs protecting and to comply with the GDPR you must have a whole host of new policies and procedures in place.
GDPR has been ratified by the UK government, so as it stands it will be enforced regardless of Brexit.
If you haven't made a start by now there's no way you will become GDPR compliant by May 25th, but as the Information Commissioner says, don't panic!
"To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data."
It's not going away, If you're yet to make a start check out the 12 Steps to Take Now document to see what's in store.
Download the full General Data Protection Regulation (GDPR) to see just what changes are on the cards.
GDPR & ILR's
You should all be GDPR compliant, or at least working towards compliance as the ESFA are checking up!
As of 25th May 2018 your application/enrollment forms should now include the updated contact preferences fields, as set out in the ESFA's Appendix F - Privacy Notice.
The Learner Contact Preference Entity Definition is explained on pages 61 - 64 of the Specification of the Individualised Learner Record for 2018 to 2019 Version 3 documentation.
You should also check out the Education and Skills Funding Agency privacy notice: May 2018 page if you haven't done so already.
Questions You Should Be Asking!
• What data am I collecting?
• What is the lawful basis for me storing and processing this information?
• Where does it go and what happens to it?
• Do I share this information with anyone – are they GDPR compliant?
• Do I share the information with anyone outside the UK? Does the country it goes to have legal rules in place to comply?
• What's the information going to be used for?
• What do I tell the person when I collect the information?
• How have they actively shown that they agree to this?
• How long do I need to keep the information for?
• Why do I need to keep it as long as I do?
• Do I need to do anything to comply in these instances?
Six Core Principles
These are the six core principles of the GDPR, are the basic foundations on which the regulation was constructed and what you need to deliver in order to comply.
1. Personal information shall be processed lawfully, fairly and in a transparent manner
Principle one in a nutshell is the concept of clear consent. In any situation where personal information is collected, it should have clear consent of the data subject. Opt-in tick boxes are still allowed, but the regulation explicitly prohibits consent by non-action or opt-out boxes. You are non compliant if you still offer an opt out!
2. Personal information shall be collected for specified, explicit and legitimate purposes.
When you collect personal information, it must be explained to the data subject the purpose for its collection and why it's being processed. Organisations will to need to become much clearer with data subjects about what their personal information is going to be used for.
3. Personal information shall be adequate, relevant, and limited to what is necessary.
When collecting personal information, the data controller must only collect personal information that is absolutely required for the specified purpose. For example, collecting personal information to send to the ESFA in an ILR, there's no basis for the requirement of my marital status.
4. Personal information shall be accurate and, where necessary, kept up-to-date.
As data controller you are obligated to ensure – to the best of your abilities – that the information collected is correct. The regulation is trying to address situations where processing incorrect personal information may cause distress or harm to data subjects.
5. Personal information shall be retained only for as long as necessary.
All personal information must now have an expiration date applied appropriate to its collected purpose. Indefinite retention isn't an option and will probably seriously upset the ICO!
6. Personal information shall be processed in an appropriate manner to maintain security.
This is the principle that has had a huge impact, as it requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems.
New ICO Fees for GDPR
The ICO's new fee structure takes affect on 25th May 2018, if you are already registered the new fee will be required on renewal.
"The new structure was laid before Parliament on Tuesday 20 February as a Statutory Instrument and will come into effect on 25 May 2018, to coincide with the General Data Protection Regulation."
ESFA Privacy Notice
The ESFA will have to make updates to their privacy, consent and data protection policies as of 25th May.
The current ESFA privacy notice which contains the following:
"Changes to this Privacy Notice
The ESFA may amend this Privacy Notice from time to time. If we make any substantial changes in the way we use your personal information we will make that information avai lable by amending this notice."
Get Our Updates!
Cleverclogs Multimedia LTD will use the information you provide on this form to be in touch with you regarding new blog posts and updates to existing posts on cleverblogs. We will NEVER share your personal details and will only make contact with you via email for this specified purpose. Please see our GDPR compliant privacy notice for further information.