General Data Protection Regulation (GDPR)
As an awarding organisation, Pearson is responsible for its qualifications development, awarding, and post-awarding processes. We have a legal obligation (such as conferred on us by statute - the Apprenticeships, Skills, Children and Learning Act 2009) to develop and award qualifications. As such, we are required as a data controller to perform a variety of activities to fulfil that obligation and we are responsible for our own compliance, as we are not acting on the instructions of our learning centres who may avail themselves of our services.
Therefore, all of the activities we carry out in pursuit of that goal are covered by the provision in the General Data Protection Regulation (GDPR), which relates to processing for the purpose of fulfilling a legal obligation. This provision already exists in the current Data Protection Act (1998).
As an awarding organisation recognised by Ofqual, Pearson has certain statutory obligations in respect of its functions; as such, it is the data controller rather than the data processor of personal data it holds. Therefore, we are not required to set down all of our processing and privacy activities.
We have arrangements in place for how personal data is secured and processed. Pearson is also subject to regulatory requirements, as per Ofqual who regulate examinations and assessments in England for complying with retention of personal data.
We have an obligation to notify data subjects of the processing activities that we undertake and we already do this. Please refer to the JCQ General Regulations for Approved Centres.
In line with the above, we currently have a GDPR programme underway to ensure that we are focused towards becoming compliant with the new GDPR rules. As a result, we have a number of initiatives ongoing, e.g. consent, notices, contracts, privacy by design, accountability, governance and raising awareness, to name a few. For further information, please read the following document:
This has very much been a work in progress since 2016 and will continue beyond 25 May 2018 when GDPR becomes law in EU member states.
Data Privacy Office, 16 April 2018