While digital transformation enabled continued education during the pandemic, the rapid change brought a renewed focus on data protection for universities and their tech providers. Coupled with the UAE announcing its Protection of Personal Data Law (PDPL) in Q1-2021, this is an important time for UAE institutions and education technology providers to examine their approach to data protection.
The PDPL is the first comprehensive federal data protection law in the UAE — released as part of a broader national legal reformation program — and heavily influenced by the EU General Data Protection Regulation (GDPR). As such, the PDPL imposes a high standard of data protection with strong rights for individuals and stringent requirements on organisations to evidence their compliance through detailed documentation such as data protection impact assessments.
Similar to others around the world, education institutions in the UAE must manage a growing volume of personal data about their students to help deliver more personalised experiences and support outcomes for every learner. While capturing this personal data is done in the interest of the institution and its learners, it also means universities have a deeper responsibility to be vigilant and use this data appropriately.
Ever-changing regulatory landscape
The PDPL went into effect on January 2, 2022. However, it will not be enforced until six months after the publication of further executive regulations. Once these regulations are published, organisations will have just six months to achieve compliance with the new law, which leaves little time for larger entities like schools and universities to assess the new law, review their existing documentation, governance and processes, and make the necessary adjustments.
Institutions that have already aligned their data protection approach to the GDPR, especially international universities with branches in the UAE, will benefit and can focus on assessing if and how the PDPL requires modifications to their existing GDPR-based programs.
Other institutions will need to swiftly review the PDPL requirements and start building the necessary programs by mapping the flows of personal data within their organisations, implementing required policies and documentation, making sure they implement processes that facilitate the rights of individuals, and ensuring that their vendors can assist them with PDPL obligations.
University leaders can take these four steps to begin preparing their institution now:
Establish an implementation team
One of the first steps is to establish a dedicated project team with project management experience, sufficient data protection expertise and, crucially, leadership support. From experience, data protection law implementations at institutions with decentralised departments are often slowed down by a lack of clearly assigned roles and responsibilities and a lack of senior management support.
Identify personal data
Institutions will have to conduct a data mapping exercise and identify personal data that is processed about students, faculty and staff. The information will need to be maintained in a register referred to as the Record of Processing Activities (RoPA).
Gap assessment and action plan
Based on the information about the identified personal data, institutions need to determine where PDPL requires changes to their governance, policies, processes, privacy notices, etc. They must then develop an action plan to address the identified gaps in a manner that translates the often principle-based requirements into specific and practicable actions.
Assess vendor risks
Maintaining a vendor risk assessment process is an important pillar of an institution’s data protection program. As part of the implementation, institutions should review existing vendors and the related contracts and ensure that any new vendors can meet the requirements of PDPL.
There are many components that make an academic institution successful. Creating and maintaining trust with students and staff through robust data protection practices is one of the key components.
Multiple reports suggest that students, parents and academic institutions are committed to continuing a hybrid form of learning, meaning increased use of evolving technologies and likely the continued collection of large amounts of personal data.
By leveraging robust technology in partnership with trustworthy vendors and developing solid internal data protection and security practices, institutions can ensure they meet the PDPL requirements and that their most valuable information is safe and secure. Then students and faculty can focus on learning, knowing that their personal data is in good hands.
