How we're preparing for GDPR

Friday, November 03, 2017 09:00

Dan Hughes by Dan Hughes

As a virtual learning environment (VLE) supplier, we have access to and utilise a lot of personal data provided by our customers as the ultimate ‘controllers’ of this data. We, by definition, are therefore the ‘processors’ of data and GDPR applies specific legal obligations and additional responsibilities that the DPA previously did not. How are we preparing for this change? 


Two decades after the ‘Data Protection Act’ (DPA) was made law in the UK, the 25th May 2018 marks this Act’s superseding with the EU led, ‘General Data Protection Regulation’ (GDPR).

READ MORE: What is the GDPR? An explanation of how this new law relates to higher education

How serious is GDPR?

The short answer is: very. Personal data and how it’s used has been a point of contention for some time now, and the ICO has already dished out some pretty hefty fines:

  • 2010: 2 fines totalling £160,000
  • 2011: 7 fines totalling £541,100
  • 2012: 17 fines totalling £2.1m
  • 2013: 14 fines totalling £1.52m
  • 2014: 9 fines totalling £6.7m
  • 2015: 18 fines totalling £2.03m
  • 2016: 21 fines totalling £2.16
  • 2017 to 31st October: 52 fines totalling £3.5m+

The maximum fine that can be given by the ICO is £500,000, but under the new law it can amount to 4% of annual turnover or €20m, whichever is greater.

Will GDPR still apply after UK departs the EU?

GDPR is in theory eligible for complete abandonment post-Brexit. However, on 21 June 2017 the UK Government declared it’s intention to maintain the regulation and embed it into UK legislation, meaning it’s very much likely to stay.


So what is CoSector doing about GDPR?

Preparing for GDPR is like taking a long British motorway trip to one of your favourite destinations. The journey is absolutely necessary, largely dull and full of bottlenecks, but you take great care to ensure the safety of those around you. And of course, once you get to where you need to be, you realise the journey was worthwhile. 

We take our customer data very seriously and have already made changes to the way we communicate with contacts, as well as changing our contracts to ensure we and our clients respond to GDPR. As a subsidiary of the University of London, we largely fall under the same governance.

Our general responsibilities

We need to keep a written record of all controllers we act as a processor for us with, and this will be made available on request to the Information Commissioner. This includes:

  • contact details for the controller
  • summary of what data we process
  • overseas transfers and details of what safeguards we are using
  • a description of the security measures we use (an accreditation or reference to policies and procedures)

We have a dedicated data protection officer

The new law requires that large organisations have a dedicated data protection officer. CoSector has, through the University of London, a Data Protection Officer who provides advice and assistance on the management of personal data. CoSector is also already accredited to ISO27001 in terms of its software and hosting provision. Therefore we have made significant headway to being 100% compliant with GDPR.

How we keep data secure

We take the following steps:

  • the pseudonymisation and encryption of personal data where required
  • backup and business continuity processes
  • regularly testing and assessing security
  • a level of security will be appropriate to the risk level around the data
  • all staff are fully trained and only access and use the data for purposes set out by the controller

In our next blog on GDPR, we’ll look at the rights of the end user and how we as a data controller and our clients need to work together to ensure users of our services are able to make decisions and take control of their data usage.

Learn more about our Digital Services 

Posted in Bloom VLE, IT and Digital