Come May 25th 2018, the GDPR will come into effect changing the way that schools, colleges, academies and all other organisations are required to manage and protect data. Data covered by the regulation includes everything from digital files and folders to paper copies of forms, hidden away in cabinets in reception. Keeping data securely protected is already law but as the Data Protection Act is almost 20 years old and the way that data is created, stored and used has evolved a lot it is time for an update.
What does GDPR stand for?
GDPR stands for the General Data Protection Regulation; The regulation will look to update the Data Protection Act which sets out much of the current guidance on data protection. GDPR aims to strengthen how schools and other organisations manage and protect data, with a focus on the protection of personal data.
While pre-existing legislation that schools must adhere to will remain in place, the GDPR sets out some drastic changes around how data can be processed and gives individuals more rights than they have previously had, concerning their data.
Is the GDPR going to affect my school?
Yes. The GDPR will affect all organisations that hold data on European citizens, even if they aren’t in Europe themselves. Some have called it the ‘Global’ Data Protection Regulation. There are some significant changes in the regulation and the way information is processed internally and externally will be important.
Key points to watch out for
Compliance with the regulation is vital for all schools and given the sensitive nature of the personal data held the risk of a data breach is huge. Compliance is something that needs to be worked towards on an ongoing basis.
Under the Data Protection Act, the ICO (Information Commissioner’s Office) has the power to give a maximum fine of £500,000 for a major data breach. A data breach is defined as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Under the GDPR these fines could reach up to €20,000,000 or 4% of global revenue. It’s worth knowing that the ICO, to date, has never fined a school for a breach and is more likely to implement an undertaking with the goal of improving a school’s protection policies and compliance with data protection laws.
Data Protection Officer
Under the GDPR public authorities must appoint a Data Protection Officer (DPO) who will be responsible for helping the organisation comply with the regulation and advising on policies. Fortunately for schools, a DPO does not have to be a direct employee of the organisation and can be shared between organisations (great news for multi-academy trusts and federated schools).
One of the core aims and principles in the GDPR is to ensure data is protected correctly and with organisations sharing data with partners and external organisations it’s vital to make sure they are compliant too. Under the GDPR, a formal contract or Service Level Agreement (SLA) must be in place and due diligence must be done to ensure that partners and suppliers are also compliant.
Actions to take
Compliance with the GDPR is an ongoing task within a school and with so many different sources of information, no two schools will have the same rules to be compliant. Best practice and actions will help with compliance and ensure that if a breach occurs the ICO will look favourably on the case – Compliance tools are available and can assist in this process.
The ICO guidelines on preparing for the GDPR, set out 12 steps that all organisations can take, some of these are more appropriate for businesses but all can be applied to schools in some way.
- Awareness – Making sure that key decision makers within the school understand what the GDPR is and how it applies to them.
- Information held – Documenting what data is held within the school and understanding how long it should be held for and where it is stored.
- Communicating privacy information – As part of the regulation, privacy notices must be updated.
- Individuals rights – Processes in place around how data is used and held must be updated to ensure individuals rights are being protected. This will include data held on staff and pupils.
- Subject access requests – Under the GDPR, a data subject (person) can request a copy of the data you have on them. It’s important to have a process in place for this eventuality.
- Lawful basis for processing – If your school is processing data you need to have a reason why. If there’s no legal reason to keep data, then don’t.
- Consent – Recording and managing data will require consent from an individual unless there is another legal reason. Having up to date information on staff and pupils is enough reason.
- Children – There are special rules around the handling of children’s data, as a school this should fall in line with current policies anyway.
- Data breaches – Put in place a policy to help you report a breach within 72 hours if one occurs. Hopefully, it won’t.
- Data Protection – You should already be doing this under regulations of the Data Protection Act and guidance from the Schools Financial Value Standards.
- Data Protection Officers – As a public body, you must have someone responsible for advising on compliance for the school.
- International – If your school has International branches then these will also need to be compliant.