We’re now on the eve of enforcement of the strictest data law to date - the EU’s General Data Protection Regulation (GDPR). As we’ve creeped closer to the deadline, more and more organisations have become aware of the Regulation. Despite this, under 10% of organisations and half of charities are prepared for GDPR, with two thirds of UK firms currently storing data in a non-compliant way.
Time is fast running out, organisations everywhere are bracing themselves for the hefty €20 million (or 4% of global revenue - whichever is greater) fine. Further education is likely to be hit hard. GDPR deals with the ownership and use of personal data. Further education institutions deal with a lot of that.
So, even this close to the 25th May enforcement deadline, there’s still a lot of work to do across the further education sector.
Data ownership and accountability
The biggest change that GDPR ushers in covers who owns personal data. Before GDPR this was somewhat of a grey area. You could’ve argued, for instance, that Apple owned any data collected via the Apple Watch, because without the device that data wouldn’t have existed. However, under GDPR the ownership of any personally identifiable information belongs solely to the individual it relates to. For reference, personally identifiable information describes any data that can identify an individual, so addresses, names, family names, passport or driving license details and biometric data all fall under this.
GDPR and consent
With ownership of personal data now solely in the hands of the individual, further education institutions will have to gain consent for any kind of use of this data. Unless the data is being used for legitimate interests (for example, if a student needs to provide their personal information for examinations). If you have an alumni community, then they will need to provide consent for any data use. Likewise, if you’re marketing to potential applicants, you’ll need their consent for that activity.
Any consent also needs to be clearly stored with the personal data that it relates to. This will have to be reviewed regularly and consent refreshed on at least an annual basis. It will also have to be given for each and every data use. So, if you’re using data to identify a target audience for a new marketing campaign, you’ll need consent. If you then use the same data for email marketing, you’ll require consent again.
Consent must be freely given under GDPR. You cannot offer a free course in return for consent, for instance. Additionally, any data use needs to be explained in a way that a lay person will understand. Simply saying “data will be used for segmentation” isn’t going to be enough, and instead, this will have to be spelt out as “grouping people based on similar characteristics to better target marketing and other communication.”
Perhaps less relevant for further educators, is the Regulation’s stance on consent for minors. However, if this does apply to your organisation then you will have to obtain any consent for minors’ data use from their parents/guardians and also the minor themselves.
Data storage under GDPR
The education sector has a duty of care towards any student, prospect, or alumni to protect their data and ensure its security. This will be critical under GDPR.
Many organisations have data stored in many different departments and in ‘data silos’. This poses a problem after GDPR enforcement as many organisations cannot accurately say where data is located. To become GDPR compliant, it’s a good idea to undergo a data audit to identify all data storage and also to combine it all under one storage solution.
This achieves two things:
- Firstly, with data stored in one location, you can ensure its security and that only those who need to use the data have access to it.
- Secondly, if asked by a prospect, student or alumni to delete or move data (part of the data portability requirement of GDPR) your organisation will be able to do so easily.
Third party use of data
Many further education institutions may use third parties to carry out data analysis, marketing and so forth. GDPR requires any organisation to check that a third party is also compliant with the Regulation. Consent will also have to be given for data use by third parties where there isn’t a legitimate interest. Sharing data with an exam board for a qualification, is fine, but sharing it with a partner organisation for marketing purposes will need consent.
Some organisations may also purchase or obtain data from third parties. Under GDPR, the purchase of third party lists is an infringement. Consent cannot be confirmed for such data use and therefore further educators need to avoid this kind of activity.
Educating staff on requirements
GDPR will require huge changes across institutions. With any organisation-wide change, communication and education is key. Staff should be made aware of the incoming Regulation and the changes to their role and data responsibilities. The crippling fines for non-compliance should also be communicated.
GDPR’s geographical reach
Despite being an EU-based law, GDPR has far-reaching consequences. Any organisation that deals with EU citizen data, or that processes data within an EU Member State, will have to comply with the Regulation. For further education firms, this will cover any overseas student where their data is processed within the EU. For UK-based institutions, despite Brexit, GDPR will still apply as it has been ratified into UK law as the Data Protection Bill.
The future of GDPR
There are many different parts to GDPR and falling foul of any of them can have huge consequences for institutions. Thankfully, there are many guides available that can get you up to speed with the new data law. When May 25th comes, there’s likely to be many casualties in further education as well as other industries across the globe. Time will only tell what the long-term impacts of the Regulation will be. One thing, however, is certain. The way organisations store, process and use data will never be the same again.
Nabeena Mali, Head of Marketing, AppInstitute
About Nabeena: She is passionate about sharing her knowledge and insights on design strategy, UI/UX trends and driving digital growth through content marketing for AppInstitute, a DIY app builder for small businesses.
Copyright © 2018 FE News