The EU Parliament has seen a lot of to-ing and fro-ing of the issue over the years, but they’ve finally set a date for implementing a strict zero-tolerance policy towards privacy and data protection.
The General Data Protection Regulation (GDPR) is set to become fully effective on 25th March 2018 , after which date any organisations that fail to comply with the GDPR will be charged with a fine of £17.2m (€20m) or 4% of their annual turnover – whichever is higher.
Leigh Cowell of Kingston Memory Shop , Lancashire based encryption experts, has issued a warning to local authorities: “If you work in the education sector, you need to take action right now. This applies to all of us and we can’t afford to simply ignore it. The message from the GDPR is clear - reconsider how you collect and store personal data or take a hit. It’d be such a huge shame to see thriving schools, nurseries and universities across the country suffer over something so easily avoidable.”
Whilst 69% of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken recommended actions to identify cyber risks. The Information Commissioner’s Office (ICO) have warned that “we’re all going to have to change how we think about data protection.”
Not only does the new GDPR aim to harmonise previous EU privacy directives among member states, but also modernise them to account for digital technology.
The new legislation has laid out new requirements for businesses, including:
● Organisations over a certain size, must employ a Data Protection Officer to ensure data is responsibly collected and appropriately secured.
● Data security breaches must be immediately reported to the IICO no longer than 72 hours after the breach occurred.
● Individuals are entitled to ‘the right to be forgotten’ which would withdraw consent of use of their personal data.
What is classed as ‘sensitive’ data?
In the digital era, defining ‘sensitive’ data can be complex. It is no longer just names, addresses and credit card details but also the likes of cookies, emails and IP addresses from your website. There is an expectation that education workers already have measures in place in order to protect personal data concerning their pupils.
The ICO believe that the more expansive definition in the GDPR provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For organisations that don’t collect personal online data, the collection of such information in the form of attendance and medical records may already be compliant with Data Protection regulations – but appropriate security and encryption of this data is now mandatory rather than recommended.
How can education workers make sure that they are protected?
The requirements set out by the GDPR depend on the size of the organisation, but even small and medium-sized businesses, including schools, are expected to adopt measures enforced on larger businesses and implement them appropriately.
All organisations are susceptible to cyber threats and data breaches, so it makes reasonable sense for them to completely reconsider their method of protecting personal data in order to avoid the tough penalties enforced by the GDPR.
Data encryption ensures that, should the data fall into the wrong hands, it is incomprehensible and meaningless. Many businesses are planning to roll out a default ‘encrypt everything’ approach to data collation in order to protect themselves at all costs.
If you think your organisation might be affected by the new GDPR and would like more information, speak to Kingston Memory Shop’s online chat team or shop their range of GDPR encrypted flash drives .