Please give us a few moments whilst we get your account ready.
Come May 25th 2018, the GDPR will come into effect changing the way that schools, colleges, academies and all other organisations are required to manage and protect data. Data covered by the regulation includes everything from digital files and folders to paper copies of forms, hidden away in cabinets in reception. Keeping data securely protected is already law but as the Data Protection Act is almost 20 years old and the way that data is created, stored and used has evolved a lot it is time for an update.
GDPR stands for the General Data Protection Regulation; The regulation will look to update the Data Protection Act which sets out much of the current guidance on data protection. GDPR aims to strengthen how schools and other organisations manage and protect data, with a focus on the protection of personal data.
While pre-existing legislation that schools must adhere to will remain in place, the GDPR sets out some drastic changes around how data can be processed and gives individuals more rights than they have previously had, concerning their data.
Yes. The GDPR will affect all organisations that hold data on European citizens, even if they aren’t in Europe themselves. Some have called it the ‘Global’ Data Protection Regulation. There are some significant changes in the regulation and the way information is processed internally and externally will be important.
Compliance with the regulation is vital for all schools and given the sensitive nature of the personal data held the risk of a data breach is huge. Compliance is something that needs to be worked towards on an ongoing basis.
Under the Data Protection Act, the ICO (Information Commissioner’s Office) has the power to give a maximum fine of £500,000 for a major data breach. A data breach is defined as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Under the GDPR these fines could reach up to €20,000,000 or 4% of global revenue. It’s worth knowing that the ICO, to date, has never fined a school for a breach and is more likely to implement an undertaking with the goal of improving a school’s protection policies and compliance with data protection laws.
Under the GDPR public authorities must appoint a Data Protection Officer (DPO) who will be responsible for helping the organisation comply with the regulation and advising on policies. Fortunately for schools, a DPO does not have to be a direct employee of the organisation and can be shared between organisations (great news for multi-academy trusts and federated schools).
One of the core aims and principles in the GDPR is to ensure data is protected correctly and with organisations sharing data with partners and external organisations it’s vital to make sure they are compliant too. Under the GDPR, a formal contract or Service Level Agreement (SLA) must be in place and due diligence must be done to ensure that partners and suppliers are also compliant.
Compliance with the GDPR is an ongoing task within a school and with so many different sources of information, no two schools will have the same rules to be compliant. Best practice and actions will help with compliance and ensure that if a breach occurs the ICO will look favourably on the case – Compliance tools are available and can assist in this process.
The ICO guidelines on preparing for the GDPR, set out 12 steps that all organisations can take, some of these are more appropriate for businesses but all can be applied to schools in some way.