Are you ready for GDPR?

The General Data Protection Regulation – GDPR – comes into effect on May 25. Steve Baines discusses how schools can prepare

The General Data Protection Regulation (GDPR) is replacing the previous Data Protection Act (1998) and is being introduced to tighten up security surrounding the way personal data is being handled. The new GDPR will be mandatory from May 25 onwards, making now the perfect time to ensure your school is ready for the new changes.

The GDPR will give schools greater responsibility for their data and it will also ensure that individuals have more control over their own personal data. However, with this comes requirements that your school must adhere to in order to become compliant:

You must appoint a Data Protection Officer and this person must have experience and knowledge of data protection law so that they can ensure the school is GDPR-compliant and following the correct requirements.
You must ensure that your school’s third party suppliers who have access to any of your data are also GDPR-compliant and you must have legal contracts with any company that processes personal data. These contracts must cover exactly what data is being used, who it is being used by, who has access to it and how it is being protected.
Opt-in consent must be given to anything that isn’t within the normal business of the school, especially if it involves a third party using the data. Parents (or the pupil depending on their age) must give their consent for the use of personal data outside of the everyday business of the school and also for use of photographs, such as on your website or social media.
It is essential that all data breaches that are likely to have a significant detrimental effect on the individual are reported to the Information Commissioner’s Office (ICO) within 72 hours.

There is no reason for you to worry if your school already has strong data protection in place, as GDPR is just a way of further enhancing the way you manage personal data. Your pupils and their parents have always had the right of access to their data and GDPR makes it even easier for them to request it. However, a major change with GDPR is that individuals now have the right for their data to be forgotten and you will need clear retention policies to ensure you comply with this new aspect.

What can you do now?

There’s still a lot of time for your school to prepare for GDPR, but May 25 will come round quickly. There’s plenty for your school to be getting on with in the meantime to avoid having to plan last minute:

Take the time to train the senior management team and ensure staff members are fully aware of GDPR and its potential impact. All your staff should be trained according to their responsibilities and roles. For example, you should set up general GDPR training for all staff as well as offering more in-depth training for staff with more responsibility.
Spend some time reviewing all of the personal data you currently hold – including data for pupils, staff, parents, suppliers and governors – which needs to be organised and stored in an audit.
It is important that you identify all software that you currently use in your school, including all apps downloaded by teachers in their classrooms. You and your school must know exactly what is being used, for what purpose it is being used and you must also understand what personal data is being processed on all software. Failing to comply with this could lead to a breach of GDPR and you could face enforcement action from the ICO, resulting in negative publicity for your school, or even a fine if the breach is serious enough.
You should start to consider your Data Protection Officer. This person will be responsible for advising you on GDPR and ensuring you are compliant with all requirements. You will need to consider who you appoint carefully as they have to report to the highest level of management and cannot have any conflicts of interest.

Conclusion

It is still not 100 per cent certain exactly how GDPR will affect schools and no specific guidance for education has been produced. However, if schools put into place general best practices then they will be well placed when the changes come into effect.

Steve Baines is data protection officer at Groupcall: www.groupcall.com/gdpr-compliance-in-schools

Further information

General Data Protection Regulation: Evolution or Revolution for Schools? The DfE Teaching Blog, October 2017: http://bit.ly/2j0ufHa
Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, Information Commissioner’s Office: http://bit.ly/2ymWk0k

One in five schools now operating food banks as cost of living bites

A case study of edtech implementation and impact

Are you ready for GDPR?

What can you do now?

Conclusion

Further information

Related articles

About us

Newsletter

One in five schools now operating food banks as cost of living bites

A case study of edtech implementation and impact

Are you ready for GDPR?

What can you do now?

Conclusion

Further information

Related articles

GDPR: The countdown continues

GDPR: How to support your data protection officer

Concern that schools are not preparing for new rules on personal data

About us

Newsletter