GDPR Overview for Schools
Are You Prepared for GDPR?
The EU General Data Protection Regulations 2016 (the GDPR), is new legislation which comes into effect on the 25 May 2018. It is designed to protect and empower European citizens with regard to their data privacy, and places greater obligations and sanctions on organisations that process (e.g. obtain, use, store, share and destroy) personal data.
This legislation applies to schools and other organisations and will continue to do so even when the UK leaves Europe. The UK has drafted a new Data Protection Bill which will replace our current Data Protection Act 1998 (due to be enacted in 2018), which will ensure the GDPR is ‘Brexit proof’ and will therefore continue to apply to UK organisations after it leaves. Schools should therefore proceed without delay in making the necessary changes to their procedures and processes, in time for the go-live date in May 2018.
This new legislation is the biggest change in data privacy legislation in 20 years. Although, the Information Commissioner (the UK Data Protection Regulator) has stated it is an “evolution…not a revolution” of our current data protection laws, it does still create significant burdens (resources and financial) on schools, requiring them to overhaul their existing practices for handling personal data about pupils, parents/guardians, employees etc. in order to be compliant.
How will GDPR affect schools?
GDPR is large and complex, so here’s an overview of the key areas which will affect schools to help you get started:
What should schools be doing to prepare for GDPR?
- Ensure senior management understand the significance and impact of GDPR on your school, and seek their support and direction on how to prepare for the changes.
- Carry out an information audit to identify and record what personal data you hold, where; who you share it with; how long you keep it for and what your lawful basis is for processing it.
- Tell employees and other key people that the law is changing and deliver needs based training to them.
- Review, update or create policies and procedures which reflect the GDPR changes, particularly in relation to data breach investigation and reporting; privacy notices, obtaining and managing consent and handling requests from individuals exercising their rights.
- Appoint a Data Protection Officer – this person must have expert knowledge of data protection law and practices and be able to fulfil the tasks set out in Article 39 of the GDPR. This person can be an employee or an external contractor.
GDPR Solutions for Schools - Help is at hand!
These packages include an experienced Data Protection Officer assigned to your school; GDPR readiness audits with action and recommendations report; staff training; data protection briefings and bulletins; data breach investigation and reporting support and conferences.
We understand schools have tight budgets and in many cases very limited expertise in data protection, so we offer a full range of packages to suit the needs and budgets of different schools.
We are working in partnership with Firebird Data Protection Consultancy Limited to deliver solutions for schools www.firebirdltd.co.uk