GDPR: One Year On

On 25th May 2018, the General Data Protection Regulation came into force. In this blog post, Andrew Cornforth and Cerys Wyn Davies of Pinsent Masons reflect on the impact the new regulation has had on universities.

It has been just over a year since the introduction of GDPR, and so far the sky has not fallen in. We have however, seen some major changes in the data protection landscape, and although for the most part we have not yet seen the huge administrative fines now available to the regulators, the indications are that some of these are soon going to land.

Perhaps the most important change is increased awareness of data protection requirements, and a consequent increase in the degree of concern about this. In the new data protection environment, organisations are seeking to comply with unfamiliar legislation against a backdrop of greater scrutiny where there appear to be fewer carrots and much bigger sticks.

It is no wonder, then, that organisations, including HEIs, are proceeding with caution. The ICO received 14,000 personal data breach reports between 25 May 2018 and 1 May 2019, up from 3,000 in the previous year. Whilst this spike in notifications is no doubt predominantly due to the GDPR’s more onerous reporting requirements, it is also, to some extent, a product of organisations taking a “better safe than sorry” approach. The ICO has noted overt cases of “over-reporting”, where a reported incident was caveated by a statement to the effect that the controller did not believe the incident reached the threshold for mandatory reporting. It is also telling that in the first nine months following GDPR, the ICO closed 7,771 reported incidents as requiring “no further action”, a figure representing 66% of the number of incidents reported in the same time period.

We note, as an aside, that making an unnecessary report might invite additional regulatory scrutiny in relation to data protection procedures and policies of the organisation (which may be found to be insufficient).

In the HE sector, many clients conscious of potential scrutiny have asked us to support them on reviewing historic data sharing or processing arrangements, as well as collaborations with new partners, to ensure that such arrangements are put on a compliant contractual footing. To address this, we have created template data sharing and data processing agreements for many HEIs. Whilst templates prove very helpful they are not a magic bullet. In particular, the determination as to whether a party is a data controller or a data processor has always been of fundamental importance in data protection law and can present a real challenge. It is often not an easy decision to make.

GDPR has not fundamentally changed the decision making as to who is a controller and who is a processor, but it has made it more important to make the right decision due to the implications which flow from this, in particular the required contractual provisions. Such a determination is likely to be the subject of additional scrutiny, as well potentially as the consequences of getting it wrong. Over the past year, we have seen real demand from HEIs for both advice and training in this often difficult, and usually very fact-specific area. We have also frequently advised on the content and detail which needs to be provided in the data processing particulars which are annexed or scheduled to data sharing or processing agreements.

Data sharing has been a key issue for HEIs, particularly in the context of when it is appropriate to disclose student personal data to third parties (or emergency contacts) where there are concerns in relation to a student’s mental health, or to the police when a student has been the victim of a sexual assault. We have also advised on the extent to which HEI’s can require the disclosure of criminal convictions on enrolment.

As HEIs are increasingly international, during the past year we have also been supporting the creation of appropriate data transfer mechanisms in relation to partners located in the EEA and outside. Often the challenge here has been to persuade such partners, whether overseas agents or institutions, first that they are caught by GDPR’s extra-territorial reach, and then that as a result of being so caught, they are required to sign up to the Standard Contractual Clauses.

However, the long reach of GDPR also means that it is becoming the gold standard for privacy across the world, and organisations everywhere are implementing policies and procedures which offer data subjects a similar level of protection.

Whilst HEIs have certainly been under greater pressure to ensure GDPR compliance, we have also seen best practices increasingly introduced as standard. Decisions about whether to process, for what purpose, and on what grounds are being made consciously, and are being documented in HEI’s records of processing activities. Certain historical processing activities are also being reviewed, and found not only to be unlikely to comply with the new regime, but also the old DPA.

More often than not, we have found that GDPR has not prevented processing activities, but greater scrutiny has been required. Over reliance on consent is receding, and justifications for processing are becoming more specific. This has undoubtedly been difficult for many institutions to navigate in GDPR’s first year, but whilst certain processing decisions will always require judgement calls to be made, the application of the legislation will become easier as it becomes more familiar.

HEIs have been required to take a fresh look at their processing activities, and are responding to the challenge.