The General Data Protection Regulation (GDPR) was finally approved by the European Union, the EU Council and Parliament on 14 April, 2016 and will replace all data protection legislation in EU member states, including the Data Protection Act 1998 (DPA 1998). The new framework aims to put individuals in control of their personal data, and will require schools, academies and any other organisations that process data to put a much stricter focus on data protection.
There are a number of headline changes of which school leaders must be aware, because errors will be expensive. Data controllers or processors that fail to comply with GDPR face fines of up to 4% of annual worldwide turnover or €20m (for serious breaches). Errors deemed less serious could attract a fine of up to 2%of annual worldwide turnover or €10m.
Definition of personal data
Under the GDPR, the definition of personal data will encompass additional factors by which an individual may be identified, including their genetic, physical, physiological, mental, economic, cultural or social identity.
Consent
As with the DPA 1998, GDPR will require data controllers to have a legitimate reason for processing personal data. If they rely on the consent of the data subject, they must be able to demonstrate that it was freely given and unambiguous by a written or oral statement. Silence, inactivity or pre-ticked boxes will no longer constitute consent. A data subject’s consent to processing of their personal data must be freely given, unambiguous and communicated by a statement of ‘clear affirmative action’.
Where personal data of a child under 16 is being processed to provide ‘information society services’ (such as social networking sites, online business and marketing), consent must be obtained from the holder of parental responsibility for the child. Member states may lower this threshold provided such lower age is not below 13 years.
Data subject’s rights
GDPR expands the data subject’s rights. This includes a data subject’s right to request rectification of inaccurate data and that data is processed for restricted purposes. Data subjects may also request a copy of personal data in a format usable by them (e.g. electronic format) and request the transfer of data from one controller to another. GDPR introduces a new right for data subjects known as ‘the right to be forgotten.’ In certain circumstances, data subjects can request that their personal data is erased and no longer processed.