Your University only has until 25 May 2018. That's when the General Data Protection Regulations (GDPR) becomes law here in the UK.
That's when your University's Data Protection Officer (DPO) becomes the accountable, principal point of contact for your enquirers, applicants and students who have been processed through your student recruitment software.
Your DPO will need to be confident that your Marketing, Recruitment and Admissions teams have collected personal data correctly. They will need to know that you can prove that consent to process their data was obtained in accordance with this new strict framework, and that your subsequent recruitment activities respected the permissions given.
They will need to understand the rights granted to individuals under the GDPR: erasure, portability, subject access and objection. They will need to be able to respond properly whenever a SAR comes in. They will need to be sure that collection, processing and accessing sensitive data like criminal convictions and disabilities (now called Special Categories) needs treating very carefully indeed.
They will need to know that appropriate technical and organisational measures as well as effective policies and procedures are in place. That not only have you reduced the chances of a data breach from within your student recruitment software, but that in the case of one occurring on their watch, that it reaches the ICO within 72 hours. They will want to demonstrate to the ICO that they can and did respond to and contain any breach of security swiftly and effectively.
In other words, your Data Protection Officer is going to need to know they can rely on the team and technical expertise from your student recruitment software provider.
In November 2016, many software providers are still trying to work out just how they will handle the new requirements, but will they be ready in time? Some will and some won't.
All providers should eventually be making technical changes to how data is structured, stored and accessed. They should eventually be training their own customer support, project management, account management and managed services teams to not only be trained to be GDPR compliant, but also and more importantly they should understand that they now share responsibility for your University's initial and continued GDPR compliance.
Here at Data Harvesting, home of Student CRM, we are well underway in our preparations for GDPR. Progress to date?
- With strong support at board level, we have recently met with and discussed GDPR compliance challenges with Microsoft's identity and security experts at Microsoft's head office in the UK.
- We have discussed GDPR challenges with InfoSec officers from several universities, engaged university cyber crime consultants and considered likely attack vectors for breaches.
- We are putting the finishing touches to our GDPR Partner Programme to be made available to our current UK University clients in Q4 2016.
- We have mapped out our technical requirements for database changes and data processing controls within our Student CRM product to meet GDPR.
- Our new Security Centre app (ships Q2 2017) contains new GDPR tools alongside our threat detection and user access lockdown to make your CISO's job easier.
If you work at a UK University and want to talk in confidence about your student recruitment software GDPR readiness, you can message me on LinkedIn.
Dom Yeadon
Managing Director & Founder at Data Harvesting