“One of the greatest misconceptions about GDPR is that it is going to be implemented in a year’s time. This is not the case. GDPR became a part of our legislation a year ago when it was first passed. What we are operating under is a two-year grace period with which to sort ourselves out and prepare for the new law. By adapting to the requirements today, we can save time, effort and potentially a great deal of money.”
How will GDPR affect schools?
GDPR will replace our current Data Protection Act (DPA) and is designed to harmonise data protection legislation across Europe so that we all operate to the same standards. It is also designed to take into account the huge changes in the use of data across the past twenty years since the DPA came into force, such as the launch of Google, Apple iPhones, Facebook etc. along with the increased use of computers, tablets and software in schools.
GDPR introduces a number of changes that will impact schools – not least that of consent. Education has always valued people’s rights and freedoms and has been very good at taking steps to protect personal data, but GDPR introduces new requirements as well as massively increased penalties for non-compliance.
It is important to note that schools store personal data on more than just the students enrolled there. Teaching staff, assistants, governors, parents, cleaners and more - everyone who is held on the database or on paper records will need to have their data carefully managed to prevent any personal data from being mishandled.
If processing is taking place based on a person giving consent, the rules change and that consent has to be freely given, unambiguous and must involve a ‘clear affirmative action’ – so no more pre-ticked boxes etc. It must also be just as easy to withdraw consent as it was to give it…
Happily, a great deal of the processing of personal data undertaken by schools will fall under a different legal basis, ‘in the public interest’, as it is obviously in the public interest to operate schools successfully, which will mean that specific consent will not be needed in the majority of cases in schools.
However, under GDPR, consent must be explicitly given to anything that doesn’t sit within the normal business of the school, especially if it involves a third party managing any of the data. This opens up a lot of school activities for debate - just last week, a primary school near my home was doing cycle safety training. Naturally, this is an important thing to be aware of and to learn about. Is it considered an essential part of the curriculum or normal school business? That much is unclear. Sharing the pupils’ data with the company organising the training would also fall under GDPR and would require separate consent to do so.
This doesn’t mean to say that third parties are no longer usable, but seeks to ensure that parents give express consent for every time their child’s data is used outside the school. There can be no catch-all to assume consent for everything at the start of the year - all of it must be approved by the Data Subject - those whose information is captured, or the parent if a child. Under current law, from the age of 16, a person is legally considered an adult and can refuse to consent to their data being used. This could potentially lead to a bit of a Mexican stand-off, with students withholding consent to their data being used in school, preventing it from going about its day-to-day operations. With talk on the horizon around the possibility for this age to be lowered to 13, this issue would only be exacerbated. At the moment, the resolution for this is unclear, and will only be established once it is slugged out in the courts.
Also under GDPR, data controllers (the school) must have a legally binding contract with any company that processes any personal data for them (third party software etc.) and there are specific elements that have to be contained in these contracts around what data is being processed, who by, who has access to it, how it is protected etc. This will undoubtedly mean new contracts being required in many cases. Also, as the data controllers you need to be sure that anyone who processes personal data for you is also GDPR compliant…
What if we are not compliant in time?
It’s in everyone’s interest that you are compliant when the deadline of May 2018 comes about, as the penalties can be quite severe. A maximum fine of €20m or 4% of global revenue, whichever is the larger sum, can be levied for a serious offence and half of this for lesser offences. It goes without saying that this would be devastating to any school caught at the wrong end, so we highly recommend ensuring that you are ready in advance of the deadline.
What can I do to ensure compliance?
There are several steps you can take to ensure that your school is getting ready for compliance:
- Ensure your senior management team fully understand GDPR and its potential impact
- Undertake a full data audit so that you know what data you store or process about any individuals (pupils, staff, parents etc.)
- Consider the personal data you process and understand how it is collected, where it came from, what it is used for, what risks are posed by its use etc.
- Appoint a Data Protection Officer – every school has to appoint a DPO under GDPR who will be responsible for ensuring your ongoing compliance, staff training, policies etc.
- Ensure your staff are trained according to their role and responsibilities – general GDPR awareness training for all staff plus more detailed GDPR training for those with more responsibility such as the Head Teacher, Deputy Head, Business Manager etc.
- Don’t panic – most schools are already in reasonable shape due to their compliance with the current DPA and the fact that you already take care when handling personal data. Yes, there are plenty of new things to consider under GDPR but if you start now you can ensure you are compliant in plenty of time.
Where can I get help or more information?
As data specialists, Groupcall are working hard to ensure that all of our products are prepared for when GDPR regulations become enforceable. By training our staff in the changes to the law via certified courses, we remain a supplier that can be trusted to protect your data.
We are also offering a series of GDPR Training Courses designed specifically for schools, local authorities and Mats. https://www.groupcall.com/events
Together with some of our partners, we have developed a GDPR compliance toolkit, GDPR in Schools, (www.gdpr.school) which will help schools, academy trusts etc. through the compliance process as well as enabling them to monitor their own and their suppliers’ compliance with GDPR in a simple yet effective way.
The Information Commissioner’s Office (ICO) has produced a good deal of guidance and information on the new GDPR (https://ico.org.uk/for-organisations/data-protection-reform/) including an overview of the regulation itself, steps to achieve compliance etc.
For further enquiries into what Groupcall can provide you with to ensure that your school’s data is secure and correctly handled, please get in touch.
With a Master’s Degree in Business Administration, along with several qualifications in the field of Information Security including the General Data Protection Regulation (GDPR), Steve Baines, Groupcall’s Data Protection Officer, is uniquely positioned to discuss the changes that came with GDPR and the potential impact that will be felt across schools.