The General Data Protection Regulation (GDPR) took effect from May 2018 and signals a new era for data protection.
Introduced to keep pace with the modern digital landscape, people’s attitudes to their data and their demand that their information is properly looked after, the GDPR is more extensive in scope than the previous Data Protection Act (DPA). The Regulation extends the data rights of individuals and requires companies including Agents and Counsellors to develop clear policies and procedures to protect personal data and adopt appropriate technical measures.
The UK's decision to leave the EU will have no effect on implementation of the regulation which will mirror the legislation in force across the European Economic Area.
Sir Ciarán Devane, British Council Chief Executive Officer (2015-2019), on the new General Data Protection Regulation (GDPR)
How well we manage the personal data we receive from customers, staff and those we work with is key to sustaining the trust required to build friendly knowledge and understanding around the world. The new General Data Protection Regulation will require us to meet higher standards than ever before. It will require transparency in how we use people’s data whilst also requiring appropriate levels of security. We need to meet these standards, not just because of the significant fines that can result, but also because trust is something which is easy to lose.
Across the world, data protection laws are changing to reflect shifts in how individuals expect organizations to handle their personal information in the modern data driven world. In Europe, the General Data Protection Regulation (GDPR) came into force in May 2018. GDPR will give national regulators in the UK and EU the power to impose significant financial penalties of up to 20 Million Euros or 4 per cent of global turnover (whichever is higher) for serious data protection breaches. You all as Agents and Counsellors must be ready to adopt the changes required.
The new regulation means significant changes for the Agents and Counsellors and the rights for individuals you work with which include:
Enhances the right of the data subject to be informed about how their data is being used in a clear, concise and easily accessible way. This right relates to Privacy Notices and statements on usage of personal data for specified purposes.
This has not changed substantially from current legislation, but requests must be satisfied within 30 days and can be made free of charge.
Individuals can request that data they know to be incomplete or inaccurate be rectified within 30 days; this right also extends to records held by third parties or partners. This right places the responsibility on organizations to know where personal data is held and a means of rectification at short notice. Once the rectification is complete, the individual has the right to see proof of the updated records.
This right is sometimes referred to as the 'right to be forgotten', data subjects have a right to have personal data erased and to prevent processing in specific circumstances;
This right enables data subjects to object to parts of processing activity whilst not affecting a whole service or product.
The right applies mostly to service providers; it can be exercised by data subjects who wish to transfer their personal data between service providers. The right places obligations on companies to package contact data, service history and financial details into a common format in order to provide uninterrupted services.
The Freedom of Information Act gives individuals and companies, from anywhere in the world, the right of access to all types of 'recorded' information, which is held by public authorities. For the purposes of the Act, the institution will have been designated a ‘Public Authority’.
Students are entitled to access information held about themselves, except where that information would breach another person's privacy or where an exemption applies.
Students also have rights to prevent data processing which is likely to cause substantial and unwarranted damage or distress, to prevent processing for the purpose of direct marketing, and to correct inaccurate personal data.
As an agent you should be aware that institutions in the UK are subject to the Freedom of Information Act and will need to disclose information if a FOI request is received. Some information should be included in the agreement about procedures to follow if/when a Freedom of Information Act request is made. Ask your institution about this.
If you are processing personal data on behalf of the University you should ensure that you comply with the institution’s Data Protection and Freedom of Information policies and should ask about this. It is likely to be referred to in the Agreement you have with the institution.
The Agreement you have with your institution should also contain a clause about intellectual property rights. The institution retains the intellectual property rights over its materials as well as any material you publish in relation to the institution concerned.
For instance, if you translate a prospectus or prepare a leaflet or brochure in respect of the institution, provision should be clear about who retains the copyright in the material i.e. whether it is you, as the agent, or the institution.
Disputes can arise where this has not been made clear and can lead to litigation, as it did between two agents in one particular country over the copyright of some translated publicity material.
The use of the logo and name of the institution is also strictly controlled to ensure that it is used correctly. Most agreements do stipulate that the agent cannot use the logo or name of the institution unless there is prior approval in writing. Also, the agreement should make clear if prior approval of is needed for any publicity material.