17 Nov 2017 11:50 AM

The General Data Protection Regulation (GDPR) is introduced on 25 May 2018 and represents a drastic overhaul of current legislation.

Despite ongoing Brexit negotiations and its impending exodus from the EU, the UK will uphold the new legislation – effectively replacing the 1998 Data Protection Act – as confirmed in the Queen’s Speech in June this year.

Who does it affect?

The change will affect any organisation holding personal data

  • that is any information about a living individual that can be identified from that data alone, or alongside other information that the organisation holds.
  • In reality this will affect most organisations.

Impact of non-compliance

Non-compliance with GDPR could have serious implications. The EU is set on synchronising often differing data standards in member states and determined to ensure best practice is upheld.

Failure by organisations to operate within the new legal  framework could bring financial penalties severe enough to force an organisation to its knees. In the UK, firms that suffer a serious data breach could be fined up to £17m (€20 million) or 4% of global turnover. That compares with the current maximum fine of £500,000 for breaking data protection laws.


All organisations will be expected to comply with the new rules regarding the secure collection, storage and usage of personal information. At the heart of the move is the theme that individuals will be given greater control over their personal data, specifically in being able to access, delete and move it. The definition of personal data is expanded to include IP addresses, internet cookies and even DNA.

The key changes coming from GDPR are:

  • Consent must be obtained to use or process personal data. All consent requests must be prominent, non-ambiguous and not form part of general terms and conditions.
  • Data must only be used for the purposes for which the academy trust has been given consent.
  • The right of access and the right to be forgotten will mean that anyone can access personal data held about them and can request their data to be deleted; It will no longer be enough just to supress those records.
  • Data portability will give anyone the right to transfer their data. Colleges or academy trusts will need to be able to provide the data in a structured and commonly used electronic format.


An important factor is to ensure a college’s or academy’s data processes protect the rights of individuals. Therefore, an organised data protection programme is needed, with all data activities accurately recorded.

There is an increasing requirement to produce an inventory of personal data to facilitate wider data governance. Moreover, data governance obligation extends to any third-party contractors or partners working with a business, and will present institutions with much greater legal liability in the event of error.

Education institutions often share data with third parties, for example with examination boards, or in respect of sector data, such as SEND and NEETs and this needs to be factored into respective plans.

How to prepare

The first step is to assess the need for compliance and budget accordingly.

Budgeting for GDPR will include recruiting, hiring and training personnel and this will often start with the appointment of a data protection officer – a number of colleges and academies are likely to have capacity to train for this role from within. Resources will also need to be spent to ensure proper data management policies (documenting why information is held, how it is collected, when it may be deleted or anonymised, and who may gain access to it) and agreements are put in place for individuals to sign up to regarding collection of their data.

Colleges and academies will also need to have comprehensive reporting policies where there are security breaches. GDPR introduces a blanket policy on reporting breaches to the Information Commissioner Office (ICO) within 72 hours where there is a risk to affected individuals. As such, policies will need to cover how to detect, investigate, respond and report data breaches where they occur.

The most likely reasons for non-compliance will be failure to keep personal data secure (both physically and in IT systems), sharing data when no consent has been given, and processing the data for any purpose other than that for which it was collected. To prepare for the new law, organisations should act now to review policies and procedures, to consider if they will need to appoint a Data Protection Officer and examine any data collection notices in marketing and other material.


Guidance documents published by the ICO recommend to businesses that “it is essential to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people in your organisation”.

To help prepare for GDPR, the ICO has produced a 12-point list of steps aimed at businesses to take straight away

These include: ensuring that the decision makers and key people within any organisation are aware that the law is changing; carrying out a review of current privacy notices and planning for any necessary changes; and designating an appropriate person to take responsibility for data protection compliance while assessing where this role sits within your business’s structure.