GDPR – Are you Prepared?
What is GDPR?
General Data Protection Regulation, (GDPR) is a set of new regulations due to come into force in May next year, which will replace the Data Protection Act (1998). Designed to further improve security around the way data is obtained, handled and shared, organisations will need to review and adjust their processes to ensure compliance. GDPR will be mandatory from 25 May 2018 onwards, and organisations across multiple sectors will need to have their systems and processes compliant, to avoid a potential large fine – including schools.
So much has been written and produced about the impending GDPR, so we have put together a quick summary of how it will affect schools, highlighting how you can get ahead of the game and be prepared in time (not to mention, avoiding some hefty fines!)
How will GDPR affect Schools?
Schools and Academies are bursting with data – whether it’s paper consent forms in filing cabinets, student and staff databases, text messaging, email and online payments services – even CCTV on the premises! Regardless of how this information is stored, schools already have a duty of care (under current Data Protection Act legislation) to keep this information safe and secure – but GDPR will intensify this responsibility even further.
The Information Commissioners Office (ICO) have issued guidance, urging organisations to put GDPR policies in place, as non-compliance could result fines of up to £500,000. In addition to any financial penalty, failure to comply could seriously impact your school’s Ofsted ratings.
What steps can your school take, to comply with GDPR?
Check third party suppliers and contracts – It is your responsibility as a school (the data controller) to make sure that any external parties that handle your school’s data are fully compliant with GDPR (e.g. messaging service providers like us, IT software suppliers, IT recyclers/asset disposal partners, catering companies, teaching agencies etc.) This should also be documented in a formal SLA (for each supplier) outlining how the data is stored, handled and shared – as under GDPR, it will be illegal not to do so.
Data Protection Officer (DPO) – you will need to appoint a DPO, who will have overall responsibility for all data handling in your school. The regulations around data handling are very detailed, so your DPO will need to be aware of the requirements, as well as being responsible for reporting any breaches within 72 hours.
Have an e-safety policy in place – Having a robust e-safety policy in place will make sure that all stakeholders linked to your school (both internally and externally) know how to stay GDPR compliant. This will protect not only your staff and students, but it will keep safe, all the data that is held on the systems in your school. (don’t forget, a cyber attack on your school’s IT network, viruses that infect your IT systems, or even the way your school’s IT hardware is disposed of, can all affect your GDPR compliance!)
ICO’s Guidance – The Information Commissioner’s Office (ICO) have issued a guide for organisations to prepare for GDPR*. It suggests 12 things you can do now, to get yourself ready for the change.
We have adapted this guide for schools, which you can download in full here.