With the GDPR deadline just five weeks away, we’re hearing from schools that Data Controllers are at a very wide range of stages in being GDPR-ready. While some of you are well ahead and ready to go, more than a few people are only just now starting to get their heads around the basics of what is going on.
Like most legislation, there are a lot of acronyms, plenty of jargon and a load of legalese that some people in the earlier stages of GDPR compliance are still trying to fully unpack – so today we’re looking at some of the more basic terminology around the GDPR.
Let’s start at the top! The General Data Protection Regulation (GDPR) is an EU-wide law which came into force in May 2016 some weeks before the UK Brexit vote. The upcoming deadline on the 25th of May actually marks the end of the two year transition period organisations were given to become compliant.
Data protection officer (DPO)
By law all schools MUST have a designated Data Protection Officer who is one step removed from the data involved and who is an expert on data protection policies. It is the DPO’s job to have an overarching view of how data is used within the school to ensure the school is meeting its legal requirements.
This is a term that you’ll see a lot of when you’re reading up on the GDPR. Basically, you are ‘processing’ data anytime you do anything with it. This includes collecting, organising, recording, transferring, storing or even destroying any data you have on an individual. This also includes any and all automated systems in place that deal with data. Anybody who does any of these things is considered a Data processor.
Lawful basis for processing
The first question to ask yourself about any piece of data is ‘why do we have this’? If you or your school can’t answer this question, there is a very good chance you shouldn’t that particular piece of data.
There are actually six main clauses for lawful processing, and your data must fit within one of these. For schools, most of your data will be processed under ‘public interest’ clause, but for everything else you will need explicit permission on each individual bit of data you are gathering and using.
Third Party Processors
You are not only responsible for ensuring your school’s data is compliant – all third party suppliers you use must be too. How far does this go? Think about cashless catering, library systems, parental communications, behaviour software, payroll, healthcare, pensions… The list goes on! And yes, you are completely responsible for contacting each of them and finding out about their GDPR compliance.
The simplest way to check them all at once? GDPRiS has done the legwork for you, confirming the compliance status of over 400 education suppliers and counting.
Privacy by Design
This means that everything that is done at a school considers data protection. This could be anything from mandatory data protection training for all new staff (and upskilling of existing staff) through to automatic encryption of external hard drives, strong password protection on laptops and regular data audits.
Data protection impact assessment (DPIA)
Just like the risk assessments teachers and department heads are often expected to do for school excursions or other events, a DPIA is a written report to show that you’ve been through the thought process of considering any risks to data and what you will do if something goes wrong with it.
This is where there is a breach of data security or where data has been accidentally misplaced or misused – think lost laptops, flash drives being left out or personal information being shared with the wrong people. Any breech which might lead to mental or physical harm must be reported to the Information Commissioner’s Office within 72 hours of the breech being discovered.
Keeping things simple - the next steps
With barely over a month to go, now is a great time to book your free online demonstration of GDPRiS while you start working on your school-wide data audit to find out where you stand and what you need to do next. Don’t forget, Groupcall are always here to help! Get in touch with us today and find out more about simplifying your GDPR compliance with GDPRiS.