There is much panic related to the implementation of GDPR in May 2018, yet it is pertinent to note that GDPR came into effect in 2016! However, organisations have been given 18 months to prepare before the enforcement of the new regulations begin.
Compared to many private organisations, schools are much better placed to address the new regulations. Make no mistake, GDPR is a data protection game-changer and it will bring new demands and challenges that will impact school resources and ultimately finances.
In education, there has always been a culture that values every person’s rights and freedoms, and schools have always had to give parents and children access to their data. Let’s take a brief look at the 5 key things schools need to be aware of and how they might prepare for GDPR implementation.
1. Individual rights
GDPR gives more control to individuals, and their rights have been clarified. In broader terms, no data may be processed unless all rights are considered and fulfilled, where relevant.
These are:
What you can do to prepare:
2. Data Processors/School suppliers
GDPR mandates a formal contract/SLA with all suppliers that process data, including how the data is stored and managed. It is the school’s responsibility to be proactive in establishing if 3rd party suppliers are GDPR compliant. If there was a data breach or non-compliance by a supplier, the school (as the Data Controller) may be held jointly liable.
What you can do to prepare:
3. Accountability
GDPR brings a much greater focus on accountability and evidence. School governing bodies are solely responsible for their compliance with the principles of GDPR and must be able to demonstrate their compliance.
What you can do to prepare:
4. Data Protection Officers (DPOs)
It will be mandatory for schools to appoint a data protection officer, you can appoint your own DPO internally or externally and can share a DPO with other schools. The GDPR does not specify the relevant qualifications that DPOs need, but it does require a DPO to have
“expert knowledge of data protection law and practices.” It is important to remember that the DPO is there as supervisor to ensure you comply and offer guidance. The DPO bears no liability for any data breach or non-compliance.
What you can do to prepare:
5. Data Breaches and Subject Access Requests (SARs)
It will be mandatory to report data breaches to the ICO within 72 hours where an individual is likely to suffer physical or mental harm.
Subject Access Requests (SARs) also have a lower timescale than the previous act. It will be mandatory to respond within 1 month and the biggest change is that you are no longer able to levy the fee of £10 for SARs.
What you can do to prepare:
Schools with existing rigid data protection policies should see GDPR as an opportunity to improve the way they work – not a stick to beat them with. The most important thing to say is ‘don’t panic’ BUT do ‘start preparing now’, if you haven’t already. GDPRiS has put together free resources for schools to access and download to help them on their journey to compliance.
You must be logged in to post a comment.
Great article. Lots of scaremongering around at the moment but this helps put it all in perspective.