From 25th May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR) – meaning that the way we manage all data and information within school will change.

Paper in filing cabinets, keeping records and databases of student and staff information, monitoring what’s happening day-to-day on the premises through CCTV – today’s educational landscape is packed with data.

Under current legislation school already has a duty of care to ensure that this data is kept safe and secure. And with the GDPR coming into effect school will have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.

Non-compliance can currently see fines of up to £500,000 being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being seriously affected if there isn’t correct policies and procedures in place when it comes to data and IT security.

But what actually is it, exactly how will GDPR affect schools and what are we doing about it?

Let’s take a look:

GDPR – what is it?

Put simply, the GDPR is a new data protection regulation that’s designed to strengthen and unify the safety and security of all data held within an organisation.

It will entirely replace the current Data Protection Act, making radical changes to many existing data protection rules and regulations that many organisations such as schools, academies and other educational establishments currently adhere to under the DPA.

How will GDPR affect schools?

Whilst you may see some similarities between the GDPR and the DPA, there will be some significant differences that will have a real impact on the way data is handled and ultimately affect the way you manage information in your school.

Here’s just a few of the key things to watch out for:

• Penalties – under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater) for both the Data Controller (i.e. you) and anyone else involved in the chain such as the Data Processors (i.e. your recycling partner). That’s a hefty price to pay for not following the rules!
• Contracts – whilst it’s good practice to show due diligence when choosing an IT recycling partner, there’s currently no formal obligation to have a contract in place with your chosen Data Processor. But this is all set to change. Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen partner.
• Data Processors – under the GDPR it will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.

So, what should you be doing to prevent non-compliance and hefty fines?

If you’re already complying with the DPA then chances are you already have some strict policies in place. But this doesn’t mean that just because you comply with DPA regulation, you’re automatically going to be compliant under the new GDPR law.

Whilst a number of the GDPR’s main principles are similar to those in the Data Protection Act, as we’ve seen, there will inevitably be some new elements and significant enhancements – meaning you may have to do some things differently.

As such, the ICO have put together a guide on Preparing for the General Data Protection Regulation (GDPR). They suggest a number of things you should be starting to do to get yourself ready for the change:

• Awareness – ensure that decision makers and key people in your school are aware that the DPA is changing to the GDPR – they need to appreciate the impact it will have and how the new legislation will affect schools
• Information you hold – organise an information audit and document what personal staff and student data you hold, where it came from and who you share it with
• Communicating privacy information – review your current privacy guidance and put a plan in place for making any necessary changes in time for when GDPR comes into force
• Individuals’ right – check your current procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically
• Subject access requests – update your procedures and plan how you’ll handle requests within the new timescales and provide any additional information
• Legal basis for processing personal data – look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it
• Consent – review how you’re seeking, obtaining and recording consent and whether you need to make any changes
• Students – start thinking what systems you’re going to put in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity
• Data breaches – make sure you’ve got the right procedures in place to detect, report and investigate a personal data breach
• Data protection by design and data protection impact assessments – begin to work out when to start implementing Privacy Impact Assessments into your school
• Data Protection Officers – designate a Data Protection Officer or someone to take responsibility for data protection compliance

Source: ICO (2016) Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now

You can read the full guide and the ICO’s recommendations here.

At Peel Brow School we are following all the guidelines, we have updated privacy notices and have a appointed a data protection officer, who is idependent from school.

Please see below for information related to the GDPR.