Show/hide menu

General Data Protection Regulation (GDPR)

As an ethical organisation we take our responsibilities to our students, staff and partners very seriously. We are therefore taking all necessary steps to ensure we achieve compliance with the General Data Protection Regulation in time for its inception on 25th May, 2018.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is an EU-wide requirement which affects all businesses in the EU, or those which utilise the personal data of EU nationals in the course of their business activities. Brexit will have no effect on GDPR as the UK government has already committed to the new Regulation.

As such, the Regulation impacts upon Kings’ use and stewardship of personal data for all prospective, current or alumni students who are EU nationals, all UK-based staff, all partner agents and all third parties with whom we share personal data. This applies both to "controllers" of data and "processors" of data – both of whom are legally accountable for compliance.

Some key areas of GDPR which expand upon existing legislation include:

  1. The need to identify and record the legal basis for processing personal data
  2. Greater transparency in use of personal data
  3. Significant strengthening of consent conditions for use of personal data
  4. Specific requirements with regard to the personal data of children
  5. Increased individual right of access to personal data and its use
  6. Increased accountability for third party use of personal data
  7. The right to be forgotten (data erasure)
  8. "Privacy by Design" becoming a legal requirement
  9. Appointment of independent Data Protection Officers
  10. Requirement to notify of data breaches within 72 hours

Yes, but what does this all mean for me?

The new Regulation has the potential to impact colleagues across all facets of the organisation – teachers, managers, admissions and recruitment staff - in fact anyone who stores, uses or shares any personal data about staff, students, agents or other third parties in the course of their role.

The new regulations are broadly similar in intent to existing legislation. We have therefore already much work in this area and will now build on what we have put in place to date. So there should be no particular concern that implementation of these new stipulations will be especially more onerous.

But it is likely that some working practices may need to be altered in order to ensure full compliance. This may apply across both digital and hard copy data.

A full evaluation of what is required of every department will be made following audits which are scheduled to begin in early April.

Appropriate training will be given to every colleague to ensure awareness of responsibilities in order to fulfil on-going requirements to achieve compliance.

In the end, effective on-going compliance will be achieved not simply through IT solutions or updated privacy policies but through an appropriate mind-set and awareness shared by all colleagues.

GDPR Core Project Teams

We have engaged Martin Moran, an experienced, independent consultant to help us create a detailed, comprehensive GDPR Compliance Plan, taking us from initial audit to implementation – and beyond.

He will form part of Core Project Teams for the UK and US as follows:

UK Project Team:

Martin Moran, GDPR Project Director

Andrew Green, Director

Amy Ramsey, Director of College Services, UK

Andy Poole, Group IT Manager.

US Project Team:

Martin Moran, GDPR Project Director

Andrew Green, Director

Jumoke Johnson , Compliance Manager, US

Andy Poole, Group IT Manager

GDPR Compliance Plan

This core team will in turn work with each relevant Head across all facets of the organisation in order to determine their specific path to compliance from audit to implementation: 

These specific areas will include:

  • School operations
    • Kings Bournemouth
    • Kings Brighton
    • Kings London
    • Kings Oxford
    • Kings Boston
    • Kings Los Angeles (LA and Marymount)
    • Kings New Jersey
    • Kings New York
    • Kings at Wisconsin
  • UK Admissions
  • US Admissions
  • Recruitment
  • Marketing
  • Finance
  • Kings Summer

Each head of these functions will be accountable for ensuring compliance within their areas, ensuring that all necessary tasks towards compliance are completed by their nominated colleague/s to agreed timescales.

What does the plan entail?

The project will entail a range of tasks across multiple functions of the organisation.

These will include:

  1. Audit and gap analysis for each departmental function/school operation
  2. Creation of updated privacy notices and policy documents
  3. Documentation of the lawful basis for processing personal data
  4. Allocation of appropriate resource to fulfil tasks
  5. Implementing specific practices for the processing of children's data
  6. Configuration of any required technical systems
  7. Implementation of processes for satisfying individual's rights under GDPR and to obtain compliant consent
  8. Delivery of on-going training on GDPR for existing and new staff
  9. Review and update of all contracts with third parties
  10. Appointment of Data Protection Officers

And finally… there’s no need for concern

All the above might seem at first to be extremely onerous and time-consuming. However, in reality we already do much that is required as part of our on-going commitment to existing data protection requirements and our wider accountabilities around safeguarding and welfare.

With a plan in place and with the support and commitment from colleagues around the group we will be able to show that we are compliant with new legislation. More importantly, we will have the framework to ensure we are doing all we should be doing to protect our students and colleagues in an increasingly open digital world.