A marketing student recently told us about a lecturer who said: “Websites should have as many sign-up boxes as possible, because you can always use data for something.”
The student queried this, because they thought the EU General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, was going to clamp down on that kind of practice.
“The GDPR is only for large corporations like Facebook,” the lecturer said. “Most organisations won’t be affected by it.”
This lecturer is monumentally ill-informed. Not only does the GDPR have strict rules on how and when data can be collected but it also applies to any organisation in the world that collects EU residents’ personal data.
Hopefully the lecturer will realise their error by the time the university makes changes to comply with the Regulation. Staff and students will notice several big changes, as the GDPR introduces or strengthens several rights for data subjects.
Whether you’re a student or teacher on a course that covers data protection or are part of an educational institution’s GDPR compliance programme, you should know how the Regulation will affect universities and colleges.
What do educational institutions need to know?
Educational institutions collect vast amounts of personal data on students and staff, including names, email addresses, physical addresses, financial information and health information. Most organisations currently use consent as the basis for collecting personal data, but the GDPR toughens the rules for lawful consent, making it less than ideal in many circumstances.
Educational institutions will rarely have to rely on consent, and should instead use one of the other lawful grounds for processing data:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract. This will cover anyone employed by the institution, including external examiners and visiting and honorary academic postholders, as well as any circumstance involving students’ contractual obligations to the institution.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This covers public authorities, which will typically include educational institutions, but the definition isn’t as clear as you might expect. It’s worth clarifying with your supervisory authority whether your organisation is considered a public authority.
There is another lawful ground – legitimate interests – but it only applies to private-sector organisations.
There’s much more to learn
The rules for processing data are just one part of the GDPR. Educational institutions have to complete a number of tasks to comply with the Regulation, including:
- Updating their internal data protection policies;
- Maintaining relevant documentation on processing activities;
- Appointing a data protection officer;
- Implementing measures that meet the principles of data protection by design; and
- Completing data protection impact assessments where appropriate.
If you want to learn more about the GDPR’s requirements and how they will affect educational institutions and other organisations, you should take a look at our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.
This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.