From 25 May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR). This means the way you manage data and information within your school will change, bringing significant additional compliance requirements.
Under current legislation schools have a duty of care to ensure that their data is kept safe and secure. With the GDPR coming into effect schools will have an increased responsibility to ensure the way they process and store this information is compliant with the changes.
The GDPR is a new data protection regulation designed to strengthen and unify the safety and security of all data held within an organisation in the EU.
It will entirely replace the current DPA, making changes to many existing data protection rules and regulations that organisations such as schools, academies and other educational establishments currently adhere to under the DPA.
The GDPR will come into force before the UK leaves the European Union. Therefore, UK organisations handling personal data will still need to comply with the GDPR.
Although there are similarities between the GDPR and the DPA, there are also significant differences that will impact the way data and information is managed in your school.
Non-compliance can result in huge financial penalties (up to £500,000) being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being impacted if the correct data and IT security policies and procedures aren’t in place.
Now is the time to start putting policies and practices into place ahead of the change to ensure compliance with the new regulation.
The ICO suggests ways in which organisations can prepare for the data protection changes and has published a 12-step checklist, summarised below.
1. Awareness
Key decision makers in your organisation need to be aware that the DPA is being replaced by the GDPR. They need to understand the impact that the changes to data protection law will have and identify areas where the school will need to make changes to ensure compliance.
2. Information you hold
Carry out an information audit and document the personal staff and student data you currently hold, where it came from and who it is shared with. You should also map out which parts of the GDPR will have greatest impact on you.
3. Communicating privacy information
Review your current privacy notices and guidance and put a plan in place for making any necessary changes ahead of GDPR implementation.
Consider such issues as the information being collected, who is collecting it and how, why it is being collected, how it will be used and what the impact on the individual concerned will be.
4. Individuals’ rights
Check your current procedures to ensure they cover all rights of individuals, including how personal data is deleted and how data is electronically provided.
A new requirement under the GDPR is for you to be able to explain your legal grounds for processing and using personal data in your privacy notice.
In addition, individuals will have a stronger right to have their data deleted where you use consent as your legal basis for processing.
5. Subject access requests (SAR)
Under the GDPR there is a new requirement to explain your legal grounds when answering a SAR.
You should update your procedures, plan how you will handle requests within the new timescales and provide any additional information.
The GDPR will continue to allow individuals to ask the school for a copy of their personal data along with other information about how the school is processing it.
The data controller must provide a copy of the personal data, free of charge, in an electronic format.
6. Lawful basis for processing personal data
You should identify and document the lawful basis for your data processing and update your privacy notice to explain it under the GDPR.
7. Consent
The conditions for consent have been strengthened and you should review how you are seeking, obtaining and recording consent for processing personal data and whether any changes are required.
Under the GDPR, consent must be freely given and as easy to withdraw, at any time, as it was to provide it in the first place. If consent is revoked this must also be recorded.
8. Children
The new legislation introduces some child-specific provisions, including the legal grounds for processing children’s data.
Plan the systems you need to put in place to verify individuals’ ages, and to gather parental or guardian consent for the data processing activity.
9. Data breaches
Put in place the procedures to detect, report and investigate a personal data breach in the new specified timescale. Breach notification must be made within 72 hours of having become aware of the breach.
You should also maintain an internal breach register.
10. Data protection by design and data protection impact assessments
Privacy impact assessments (PIAs) are used to identify and reduce the privacy risks of your projects. The ICO’s code of practice on PIAs explains the principles which form the basis for a PIA.
Organisations should familiarise themselves with the code and plan when to implement PIAs.
11. Data protection officers
Hire a data protection officer or designate an individual to take responsibility for data protection compliance.
Under the GDPR it is mandatory for public authorities, including maintained schools and academies, to have a designated DPO.
12. International considerations
Review and map any flows of personal data outside the EU, consider what transfer mechanisms are in place and ensure these comply with the GDPR.
