Implementation of the General Data Protection Regulation in Slovenian Higher Education
Purpose:
The article examines differences and similarities in how teaching and non-teaching staff at three Slovenian public universities perceive the level of implementation of the “General Data Protection Regulation (GDPR)” („Regulation (EU) 2016/679 of the European Parliament and of the Council ... and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR)“ 2016) in Slovenian higher education. The analysis takes account of the adoption of the national data protection act (“Zakon o varstvu podatkov, (ZVOP-2)”, 2022) being delayed until late 2022, the disruptions brought by the coronavirus disease 2019 [COVID-19] pandemic, along with insights from the universities’ data protection officers [DPOs].
Design/Methods/Approach:
In May 2022, a quantitative study using a questionnaire was administered to teaching and non-teaching staff at the University of Ljubljana, the University of Maribor, and the University of Primorska. The questionnaire covered key GDPR areas, with additional structured interviews being conducted with each university’s DPO.
Findings:
It was revealed that the pandemic and the legislative delay negatively impacted implementation of the GDPR. Significant differences were observed between groups of staff, notably on understanding of the legal bases, data breach procedures, and the allocation of responsibility while processing personal data.
Research Limitations / Implications:
The study refers to the higher education sector; still, the findings may also apply to other areas in the public and private sectors. The methodology could be extended to lower levels of the Slovenian education system (higher vocational, secondary, primary; also educational institutions), while similar studies performed abroad could use it to provide an international comparison. The results could also underpin more research concerning implementation of the GDPR in other public-sector organisations, and an evaluation on the level of the supervisory authority, which would permit a more comprehensive systemlevel assessment of compliance.
Practical Implications:
The study is the first to empirically investigate implementation of the GDPR in Slovenian higher education. The importance of raising awareness among key stakeholders to ensure lawful, effective and coherent implementation of the data protection rules in practice is shown. Concrete guidance is provided for improving/upgrading existing institutional practices and helping to develop a more consistent data protection culture within the sector.
Originality/Value:
The study stresses the urgent need to improve sector-specific guidance, clarify the legal bases, and raise awareness among stakeholders in higher education. The results may be seen as valuable input for shaping national policy and institutional practices and support the development of good GDPR-implementation practices in the broader European higher education context.
UDC: 342.738:378
Keywords: data protection, GDPR, COVID-19, Slovenia, higher education