5 key things schools need to know about GDPR

There is much panic related to the implementation of GDPR in May 2018, yet it is pertinent to note that GDPR came into effect in 2016! However, organisations have been given 18 months to prepare before the enforcement of the new regulations begin.
Compared to many private organisations, schools are much better placed to address the new regulations. Make no mistake, GDPR is a data protection game-changer and it will bring new demands and challenges that will impact school resources and ultimately finances.
In education, there has always been a culture that values every person’s rights and freedoms, and schools have always had to give parents and children access to their data. Let’s take a brief look at the 5 key things schools need to be aware of and how they might prepare for GDPR implementation.
1. Individuals rights
GDPR gives more control to individuals, and their rights have been clarified. In broader terms no data may be processed unless all rights are considered and fulfilled, where relevant.
These are:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision making and profiling

What you can do to prepare:

• Review your procedures to ensure that you can deliver the rights of individuals under GDPR.
• Find out more from the ICO.

2. Data Processors/School suppliers
GDPR mandates a formal contract/SLA with all suppliers that process data, including how the data is stored and managed. It is the school’s responsibility to be proactive in establishing if 3rd party suppliers are GDPR compliant. If there was a data breach or non-compliance by a supplier, the school (as the Data Controller) may be held jointly liable.
What you can do to prepare:

• Conduct an information audit across your school to map data flows and document what personal data you hold, from where it came and with whom it has been shared.
• Refer to the draft guidance from the ICO.

3. Accountability
GDPR brings a much greater focus and accountability and evidence. School governing bodies are solely responsible for their compliance with the principles of GDPR and must be able to demonstrate their compliance.
What you can do to prepare:

• It is important that you implement appropriate technical and organisational measures that ensure and demonstrate that you comply.
• Further information is available via the ICO.

4. Data Protection Officers (DPOs)
It will be mandatory for schools to appoint a data protection officer, you can appoint your own DPO internally or externally and can share a DPO with other schools. The GDPR does not specify the relevant qualifications that DPOs need, but it does require a DPO to have
“expert knowledge of data protection law and practices.” It is important to remember that the DPO is there as supervisor to ensure you comply and offer guidance. The DPO bears no liability for any data breach or non-compliance.
What you can do to prepare:

• GDPRiS has put together a guide to choosing a DPO with the pros and cons of the DPO tasks against each role within a school environment.
• Read the ICO guidance on Accountability and Governance under GDPR.

5. Data Breaches and Subject Access Requests (SARs)
It will be mandatory to report data breaches to the ICO within 72 hours where an individual is likely to suffer physical or mental harm.
Subject Access Requests (SARs) also have a lower timescale than the previous act. It will be mandatory to respond within 1 month and the biggest change is that you are no longer able to levy the fee of £10 for SARs.
What you can do to prepare:

• Implement appropriate procedures to ensure personal data breaches will be detected, investigated and reported effectively.
• Ensure you have mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
• Read the guidance on Breaches and SARs from the ICO.

Schools with existing rigid data protection policies should see GDPR as an opportunity to improve the way they work – not a stick to beat them with. The most important thing to say is ‘don’t panic’ BUT do ‘start preparing now’, if you haven’t already. GDPRiS has put together free resources for schools to access and download to help them on their journey to compliance.

The author

Melanie Hurley

Melanie Hurley is Marketing Manager at GDPR in Schools (GDPRiS) and has worked in the education market for more than 20 years. GDPRiS is an all-in- one data protection monitoring system designed specifically to meet the needs of schools when managing data protection and ensuring compliance with data protection regulations.

http://www.gdpr.school/