What is the General Data Protection Regulation (GDPR)?
As of 25th May 2018, the GDPR will replace the Data Protection Act 1998 – this means the way in which schools manage data and information will change.
The GDPR is designed to strengthen the safety and security of all data held within an organisation, and make sure procedures are consistent. It focusses on the privacy rights of individuals and the idea that everyone should know what data is held about them and how it is used.
Why is it important? Well, the GDPR makes many changes to existing data protection rules and regulations that schools adhere to – including policies.
How does it affect schools?
The main new elements are:
- Accountability – schools must prove their compliance with data protection principles by having effective policies and procedures in place.
- Privacy – new information must be included in privacy notices, e.g. legal basis for processing data, retention periods, rights to complain to the Information Commissioner's Office (ICO). This information must be in a concise, clear and easy-to-understand language.
- Individuals' rights – a new right to 'data portability' means data must be provided in a commonly used, electronic format. Other rights under the GDPR include: subject access requests; to have inaccuracies corrected; to have information erased; to prevent direct marketing; and data portability.
- Subject access – there's a reduced time frame to comply with subject access requests (SARs) – from 40 days to 1 month. To refuse requests you must have policies and procedures in place to show the refusal meets the criteria. Unfounded or excessive SARs can be charged or refused. Additional information is needed for those making SARs, including retention periods and the right to have inaccurate data corrected.
- Legal basis – schools' legal basis for processing personal data must be explained in privacy notices.
- Consent – data controllers must demonstrate that consent was given, and it has to be a positive indication of agreement to personal data being processed.
- Children – special protection is given for children's personal data – consent is needed from a parent to process this data. Privacy notices must be written in a language that can be understood by children.
- Data breaches – a breach notification duty is applied to all schools, and those that are likely to cause damage, e.g. identity theft, have to be reported to the ICO – failure to do so can result in a fine.
- Privacy impact assessment – this will be a legal requirement rather than good practice.
- Data protection officer (DPO) – schools will be required to appoint a DPO.
How to prepare
Preparation is key – if you leave it too late, you might not be able to ensure you're fully compliant with the regulations. Follow these 11 steps to make sure you're ready:
- Awareness – make sure decision-makers and key people are aware of the GDPR coming into effect, and what it will mean for them.
- Information – organise an information audit and document what personal staff and pupil data you hold, where it came from and who you share it with.
- Privacy information – review your current privacy notices and make sure they meet the requirements above.
- Individuals' rights – check all procedures and policies to ensure they cover individuals' new rights, including how you will delete personal data, and provide data electronically and in a commonly used format.
- SARs – update your procedures and plan how you will handle requests within the new timescales, and how you will provide additional information.
- Legal basis – consider the data you process, identify your legal basis for doing so, and document it.
- Consent – review how you're seeking, obtaining and recording consent and whether you need to make any changes.
- Children – think about the systems you're going to put into place to verify pupils' ages, and how you're going to gain consent for data processing from parents.
- Breaches – review your procedures for detecting, reporting and investigating personal data breaches.
- Impact assessments – read the ICO's guidance on privacy impact assessments and assess how and when to implement them in your school.
- DPO – designate a DPO to take responsibility for data protection, making sure you assess where this role will fit within your school's structure and governance arrangements.
- Data processor – make sure you appoint a data processor who is compliant with GDPR requirements and IT asset disposal.
- E-safety and e-security policies – implement these policies to ensure you have procedures in place to protect data in any situation – malicious attacks, viruses, phishing, or destruction or loss of data.
If you're not compliant there are consequences – here are just a few:
- Penalties – non-compliance can see fines of up to four percent of annual turnover for your school and anyone else involved, e.g. data processors.
- Contracts – it will be illegal not to have a formal contract or service level agreement in place with your school's chosen data processor.
- Data processors – it will be a criminal offence to choose a data processor who doesn't hold the competencies required and IT asset disposal accreditions.
- Ofsted – Ofsted evaluate policies and procedures, so if you're not compliant with GDPR regulations, it might have an impact on your inspection.
TheSchoolBus has carefully put together a GDPR Resource Pack which is designed to provide an overview of the regulations, ensuring your school and governing board are prepared for the introduction of the GDPR.
The pack includes:
- A GDPR Data Protection Policy
- Preparing for the General Data Protection Regulation - 3 Minute Read
- Preparing for the General Data Protection Regulation guidance document
- Preparing for the General Data Protection Regulation: A Checklist for Governors and MAT Trustees
- GDPR: School Survival Guide
To minimise risks in your school and instantly draw a line through five items on your to-do list, including GDPR, sign up for a free trial and take a no obligation free trial and download five free resources of your choice today.