Complying with the GDPR (General Data Protection Regulation) is mandatory for corporations, public administrations, and companies operating within the EU (European Union). This is our case, being a company located and registered in Spain, a member state of the community, and as such, we must initiate technical measures to comply with the law.
The RGPD (or GDPR in English) is the European regulation on data protection of individuals who give up their private information at certain times. It has been in force since May 25, 2018, and its articles include precise measures protecting citizens.
With the arrival of the European regulation, The Spanish LOPD (Ley Orgánica de Protección de Datos Personales) has been adapted to international law and is more demanding. It has even expanded its scope to include cybersecurity, becoming the LOPDGDD (Ley Orgánica de Protección de Datos Personales y Garantía de Derechos Digitales – Organic Law for the Protection of Personal Data and Guarantee of Digital Rights).
To carry out compliance with the RGPD, we must take into account several issues such as: having a clear and transparent policy, storing data and not disclosing them, having a person responsible for the custody of the recorded information, etc… Aspects that the legislation of other countries does not take into account, which is why the European regulations are among the strictest.
Additionally, in Spain, we have the AEPD (Spanish Data Protection Agency), which is the body that ensures compliance with the regulations.
Basic principles to comply with the GDPR
The great novelty in the new regulations are the rights of individuals and the duties and responsibilities of companies, with the former taking precedence over the latter.
And not only within the limits of the continent, but it goes further because it is forbidden to send personal data outside the European Economic Area to a country that does not offer sufficient protection for them.
The regulation contains three fundamental principles.
|Responsibility for the data, which must be accurate and up to date, must be used for what has been notified.|
|Protection and confidentiality of personal data without disclosure.|
|Transparency and explicit communication of why the information is collected from the person so that they grant consent for its processing.|
Thus, citizens have the right to access and rectify our data, to know what they are used for and who is responsible for them, to oppose the processing and transfer of these and even to request their deletion.
How to comply with data protection law in an educational institution
We would like to highlight the special attention schools must pay to the confidential information of their students. Academic centers are one of the sectors that are obliged to appoint a data protection officer, along with healthcare centers, insurance companies, and financial centers.
Such is the importance in this sector that the AEPD has drawn up a specific decalogue for educational centers where issues relating to the treatment of student data are collected, including images and the use of their data on digital platforms and social networks.
For an educational center to follow the guidelines of the law, it must follow a series of obligations:
|1. Appoint a Data Protection Officer and sign contracts with data processors.|
|2. Sign confidentiality commitments with employees: administration, teaching staff, etc.|
|3. Have a register of processing activities and carry out periodic audits and risk analysis.|
|4. Obtain consent for the processing of data and inform data subjects.|
|5. Enable the exercise of rights of the student and/or parents.|
GDPR compliance with Smowltech
Likewise, schools should draw up protocols and guidelines for using ICTs by teachers. In this sense, if SMOWL is the proctoring system, they must inform teachers and students.
With us, you can be sure that you will comply with the law. Following articles 12 and 13 of the RGPD, we comply with the principles of transparency and communication with organizations and students by explaining how our online evaluation system works, what data we collect, and how we do it.
From the beginning, we make it clear that the user grants permission at all times and accepts the terms and conditions of use.
Once authorized by the user, the SMOWL system associates an alphanumeric code to the user so that the identity is known only to the training center.
The student’s biometric identification data does not remain in our system beyond what is strictly necessary. We limit ourselves to comparing the identification data 1 to 1 of the person, or in other words, we compare the identification data with the data during the test. Once the storage time dictated by law has expired, we destroy it. Thus, we record evidence or information presented to the training entity in a report.
As for biometrics, the EU has validated the ethics of biometrics before including us in the most important research and innovation program in Europe, the H2020. The aim of this program is to ensure that the science of companies in the member states can compete on a global level and that we generate innovation.
We also comply with current legislation because we have a data protection officer ([email protected]) trained in the matter, as indicated in the regulations.
Penalties for non-compliance with data protection law
The RGPD contemplates higher penalties than those established by the LOPD. This included penalties of up to 600,000 euros; however, with the European regulation, now the fines can be up to 20 million euros or 4% of the previous year’s turnover.
This economic range depends on several factors:
- The type of infringement the educational center commits.
- Whether the negligence was unintentional.
- The responsibility of the data protection officer in the infringement.
- Whether it is a one-off or a repeat offense.
- The type of data that has come to light.
Also, the entity’s reputation is questioned in the event of a sanction. Nowadays, we citizens are very sensitive to the use of our private information, and knowing that a company has not taken care of it creates distrust and rejection. So, beyond complying with the RGPD and avoiding economic losses, you must consider the people who have decided to train with you.