Less Than One Year Before Far-Reaching GDPR Rules Are Introduced
The majority of educational establishments are unaware of the new wide-ranging data protection rules which come into force in less than a year’s time - despite 26% admitting it would lead to redundancies if they incurred the maximum fine for non-compliance.
According to a YouGov survey of over 50 educational establishments, which was commissioned by national law firm Irwin Mitchell, only 21% admit to being aware of the new General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.
GDPR represents the biggest change in 25 years to how organisations process personal information and it replaces existing data protection laws.
Under the new rules, the maximum fine for certain data breaches in the UK will rise from £500,000 to €20million or 4% of global turnover, whichever is larger.
Eighty nine per cent of educational establishments are unaware of the new fines with 6% claiming they would need to make significant job cuts if they received the maximum punishment. A further 20% admitted that smaller scale headcount reductions will be necessary.
Joanne Bone, partner and data protection expert at Irwin Mitchell said:
Expert Opinion
“These results are concerning because with next May’s deadline fast-approaching and with so much at stake, our study reveals there’s a very real possibility that a large number of education establishments will not be compliant in time.
“There are some additional challenges for the education sector, particularly as they are engaging with children and young people and they will need to tailor their processes accordingly. Another issue to be aware of relates to new technology including body cams in the classroom, which will create new challenges in terms of how data is stored.”
Joanne Bone - Partner
The notification of certain data breaches where there is an impact on privacy, such as a customer database being hacked or a letter being put in the wrong envelope, must be reported to the Information Commissioner’s Office (ICO) within 72 hours under the new regime.
However, Irwin Mitchell’s survey found that just 17% of educational establishments are certain that they would be able to detect a data breach. Only 32% say they are confident they would notify the relevant stakeholders within the required timescale of three days.
Other changes under the GDPR include an obligation to be more transparent about how personal data is used. Organisations will also need to have processes in place in case an individual asks for all their personal data to be erased.
Irwin Mitchell believes the low level of awareness of GDPR is caused by a number of misconceptions that exist about the new rules and say this has led to a level of complacency.
This view is supported by 42% of respondents in the sector claiming that GDPR will have no impact and it is not an issue for their sector. Ten per cent claim it isn’t relevant as they are not a consumer business.
The reality is that the rules encompass a wide range of personal data including employee data, payroll and pension records.
Expert Opinion
“Contrary to popular belief personal data is not just consumer information. It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws.” Joanne Bone - Partner
Irwin Mitchell’s latest GDPR report can be downloaded from here