GDPR is on its way. If you work within an educational institution, there is no doubt you will have already seen preparations ahead of the impending 2018 deadline. There is a great deal to consider to be certain schools, academies, colleges and universities will meet its requirements. And many will now be well-versed in the potential ramifications of non-compliance, with fines of up to €20m, or 4% of an institution’s annual turnover, regularly being raised to motivate the less eager into action.
But while there is a lot to think about and prepare, there is still time. Questions that need to be answered include what data do we hold and what was its source? Who has access to this data now and who should have privileges to access it in future? How is our data being stored and utilised? And finally, who is going to manage this process? Under the GDPR, you must appoint a Data Protection Officer (DPO) if you are a public authority or body, or carrying out large scale systematic monitoring of individuals. While the interpretation of these criteria is still being debated in some circles, it is nevertheless clear that it would be prudent for any educational establishment to have somebody take responsibility for ensuring compliance.