General Data Protection Regulation and how the IB is preparing for it

Many of you will have heard of the new EU General Data Protection Regulation. Please read on to understand more about the “GDPR” and what the IB is doing to prepare for it.

What is the “GDPR”?

The GDPR is a new data protection law that was announced in 2016 and which, from 25 May 2018, will replace all the existing data protection laws across the EU.

The GDPR is not a complete overhaul of the existing rules. All the basic principles in the current law stay the same, as do IB’s core obligations to protect personal data and use it in a fair and transparent manner.  However, the GDPR will also introduce some additional obligations for the IB and new rights for the individuals whose personal data we process.

By way of some examples:

  • We will need to give more information to individuals about how we use their personal data.
  • We will need to give individuals more rights over their own personal data, e.g. allowing them to object to certain uses, have their data erased, and access it in a machine-readable format.
  • We will need to conduct data protection impact assessments before we do something substantially new with personal data, and build privacy safeguards into the design stage of any new business processes, new systems or user functionality or when making any major changes.
  • We will need to continue to have appropriate security measures in place to protect the data and report any breaches to the respective Data Protection Authority within 72 hours.

The potential fines available for a breach of data protection law will also increase substantially, so it is more important than ever that we comply with our obligations under the law.

What is the IB doing to prepare?

The IB started a project after the GDPR was adopted to address the requirements of the GDPR in time for the May 2018 deadline, working with external legal counsel.

As part of this project, we are:

  • Reviewing our existing privacy notices and consent wording, and updating them to meet the new requirements;
  • Reviewing and updating contractual documentation for our service provider and vendor relationships;
  • Introducing some new internal policy documents, to provide guidance to all personnel on how to handle personal data in accordance with the GDPR; and
  • Considering what changes are needed to our existing systems and processes to enable us to comply with the GDPR requirements, including its record keeping requirements.
IB is a Data Controller under the GDPR 

The IB considers itself as a data controller when carrying out its educational mandate. The IB has carried out a legal analysis with the help of outside counsel and concluded that the IB is a Data Controller of personal data when processing personal data of students, school staff of IB World Schools or other IB stakeholders as part of its educational mandate. IB coordinators or other school staff and IB stakeholders submit personal data (e.g. student and school staff data) to the IB and the IB determines the actual means and purposes of the processing of such personal data and acts independently when doing so. For example, the IB collects data from IB coordinators about students and assesses their coursework, designs and corrects the Diploma Programme examinations for students and then issues a IB diploma to successful students.

When processing personal data as a controller, the IB is itself subject to the GDPR provisions applicable to data controllers. 

How IB handles its stakeholders’ personal data

Any personal data entrusted to the IB will be handled in line with the IB’s Privacy Policy.

The IB confirms that it takes data protection and data privacy seriously and reassures you that it does not sell, rent or otherwise make your personal data available to third-party marketeers or advertisers under any circumstances.

Data Protection Officer

The IB has appointed a Data Protection Officer. If you have any questions about the GDPR and what it might mean for you, please contact privacy@ibo.org.