As a virtual learning environment (VLE) supplier, we have access to and utilise a lot of personal data provided by our customers as the ultimate ‘controllers’ of this data. We, by definition, are therefore the ‘processors’ of data and GDPR applies specific legal obligations and additional responsibilities that the DPA previously did not. How are we preparing for this change?
Two decades after the ‘Data Protection Act’ (DPA) was made law in the UK, the 25th May 2018 marks this Act’s superseding with the EU led, ‘General Data Protection Regulation’ (GDPR).
How serious is GDPR?
The short answer is: very. Personal data and how it’s used has been a point of contention for some time now, and the ICO has already dished out some pretty hefty fines:
- 2010: 2 fines totalling £160,000
- 2011: 7 fines totalling £541,100
- 2012: 17 fines totalling £2.1m
- 2013: 14 fines totalling £1.52m
- 2014: 9 fines totalling £6.7m
- 2015: 18 fines totalling £2.03m
- 2016: 21 fines totalling £2.16
- 2017 to 31st October: 52 fines totalling £3.5m+
The maximum fine that can be given by the ICO is £500,000, but under the new law it can amount to 4% of annual turnover or €20m, whichever is greater.
Will GDPR still apply after UK departs the EU?
GDPR is in theory eligible for complete abandonment post-Brexit. However, on 21 June 2017 the UK Government declared it’s intention to maintain the regulation and embed it into UK legislation, meaning it’s very much likely to stay.
So what is CoSector doing about GDPR?
Preparing for GDPR is like taking a long British motorway trip to one of your favourite destinations. The journey is absolutely necessary, largely dull and full of bottlenecks, but you take great care to ensure the safety of those around you. And of course, once you get to where you need to be, you realise the journey was worthwhile.
We take our customer data very seriously and have already made changes to the way we communicate with contacts, as well as changing our contracts to ensure we and our clients respond to GDPR. As a subsidiary of the University of London, we largely fall under the same governance.
Our general responsibilities
We need to keep a written record of all controllers we act as a processor for us with, and this will be made available on request to the Information Commissioner. This includes:
- contact details for the controller
- summary of what data we process
- overseas transfers and details of what safeguards we are using
- a description of the security measures we use (an accreditation or reference to policies and procedures)
We have a dedicated data protection officer
The new law requires that large organisations have a dedicated data protection officer. CoSector has, through the University of London, a Data Protection Officer who provides advice and assistance on the management of personal data. CoSector is also already accredited to ISO27001 in terms of its software and hosting provision. Therefore we have made significant headway to being 100% compliant with GDPR.
How we keep data secure
We take the following steps:
- the pseudonymisation and encryption of personal data where required
- backup and business continuity processes
- regularly testing and assessing security
- a level of security will be appropriate to the risk level around the data
- all staff are fully trained and only access and use the data for purposes set out by the controller
In our next blog on GDPR, we’ll look at the rights of the end user and how we as a data controller and our clients need to work together to ensure users of our services are able to make decisions and take control of their data usage.