Implications of the GDPR for Academia
INCREASED MAXIMUM PENALTY
One of the biggest changes to appear from the regulation is that academic institutions who are defined as data collectors can now pay maximum fine of €20 million, or 4% of the institution’s global turnover (whichever is larger) for a data breach. This will encourage institutions to take a serious approach to data security with more urgency to avoid being fined.
THE RIGHT TO CONSENT
In order for an institution to process an individuals’ data they rely on consent; however they must also be able to demonstrate that the consent was ‘freely given, specific, informed and unambiguous.’ For example, institutions using students’ data for marketing purposes such a as survey, must have made the students aware this was going to take place and list all parties involved with processing the data. Failure to do so may result in legal implications for the institution. This may mean for some institutions that their current processes in place are already non-compliant with the GDPR.
It is important for academic institutions to start planning their approach to compliance by knowing the information that they hold, what they use it for, where it came from and what they use it for. This will help to show how the organisations is accountable for the data and how to comply with the GDPR data protection values.
It is crucial for institutions to appoint a Data Protection Officer if they have not done so already. This is a legal requirement for public authority and will make compliance with the GDPR a much smoother process.
Academic institutions may have to review their privacy policies because under the GDPR there are additional details that must be provided to data subjects when obtaining their data. Data processors must provide the legal basis for processing the data, the retention period and the data subjects right to complain to the Information Commissioner’s Office (ICO) if they feel their data is being misused.
REPORTING DATA BREACHES
The GDPR brings along a policy stating that all organisations must inform the ICO if any data breaches that occur within 72 hours. For more serious risks caused by a data breach such as financial loss, organisations must inform the affected individuals directly.
The GDPR will change many institutions rules, regulations and processes currently in place for data protection. These new changes in most cases, will benefit the academic institution and data subjects by providing a better understanding of how information is processed along with improved data security.