Rob Hunter is Managing Director and Founder of Hunterlodge Advertising. In this piece he draws our attention to the changing landscape of personal data management and the need for the HE sector as a whole to prepare for effective compliance with the GDPR (General Data Protection Regulation).
GDPR (General Data Protection Regulation) is the largest legislative change in recent years that addresses the changing landscape of personal data in a digital age. Despite it being an EU initiative, the UK Government has confirmed that the GDPR will still come into effect by 25th May 2018 and any business not complying could face a hefty fine of up to €20 million or 4% of its annual global turnover – whichever is higher.
Anyone who holds personal data on the public will be directly affected and this includes universities and colleges. So how exactly will this affect the education industry?
Firstly, it is important to look at the data you currently hold on students, how It is gathered and whether It is classified as sensitive or non-sensitive data. Simply having a ‘one-size-fits-all’ opt-in consent structure without individual consent for the use of each set of data will be detrimental to both the university and the student as universities will be unable to gather and process this data for future learning analytics and marketing purposes.
GDPR will cover all levels of data, including phone records and patterns, progress reports to students’ sponsors, staffing records such as salary, performance and employment details, graduating students’ name, research data that includes surveys, as well as individual logs that record library or door access.
And it is not just internally held data that needs assessing. Data shared with external institutions held in the cloud or accessed through third party partnerships need to be brought under the GDPR compliance umbrella, most notably UCAS. For them in particular, the core issue will revolve around clarity on consent for the usage of data. It will then be up to the organisations that access this data to follow the same tightly regulated policies and governance.
Like any other organisation in the UK, universities need to follow a structured process for dealing with these changes. These should include:
- Raising awareness of the changes and their importance across all internal and external stakeholders to help minimise risk and misuse of data
- Carrying out a data audit on data holding, gathering, use and sharing
- Appointing a Data Protection Officer if necessary to ensure all your efforts meet the new regulations
- Incorporating new rules on individuals’ rights and subject access requests into all the data operations
- Implementing new consent regulations going forward and refreshing any existing data if it does not meet the new GDRP standards; and finally
- Drawing up new codes of conduct and policies including the fair and transparent collection and processing of personal data, the technical and organisation’s measures for security and data protection, and measures to deal with privacy breaches and dispute resolution procedures.
Although the GDPR seems like a scary prospect, it will not herald the end of marketing or day-to-day operations as we know them. Clarity and transparency will be central in order to prove how consent was gained, along with detailed data management and storage policies. These should cover the process from all angles – and have student privacy and rights built into its very core.