The new General Data Protection Regulations (GDPR) come into force on 25 May this year, but what will it mean for schools? We take a look at what you need to know and what you need to do to make sure you’re ready.
If you have not heard of the General Data Protection Regulation (GDPR) and you work in a school, you need to get clued up quickly: break the new rules after they come into force on 25 May and the consequences could be damaging both for your school's budget and reputation.
In our other link, we give you a breakdown of what GDPR is and how is differs from the Data Protection Act, and we also give you some tips on how to become compliant.
Here we tell you what schools in particular need to know about GDPR.
GDPR for schools
Schools handle a large amount of personal data. This includes information on pupils, such as grades, medical information, images and much more. Schools will also hold data on staff, governors, volunteers and job applicants.
Schools will also handle what the GDPR refers to as special category data, which is subject to tighter controls. This could be details on race, ethnic origin, biometric data or trade union membership.
What is personal data?
This data is already governed by existing DPA regulations, which ensure personal data is handled lawfully. However, the new GDPR has gone further and requires organisations to document how and why they process all personal data, and gives enhanced rights to the individual.
“What the GDPR has done is taken the previous regime, built upon it and modernised it for the current technological and societal environment,” says Claire Williams, an information and cyber law specialist from law firm Mills & Reeve.
“In terms of schools, and the education sector in general, there’s going to be much more of a focus on data protection and it’s going to have to be much more at the forefront of peoples’ minds, particularly the senior leadership when they’re deciding on policies and bringing in new technology.”
Who exactly will this impact?
“Achieving compliance for any organisation will require the unconditional support from all staff, leaders, teachers and support staff,” says Guy Dudley, director of Advice and Legal Services at the school leaders' union the NAHT.
“GDPR isn’t normal ‘day-to-day’ business for schools, so they’ll have to make this change alongside all of the regular teaching and learning commitments that go on.”
In the same way that safeguarding is a school-wide priority normally led by one of the senior leadership team, it is recommended that data protection follows the same approach.
“You are expected to have somebody within the senior team whose responsibility encompasses GDPR and data protection in general,” says Williams. “They need to have adequate resourcing and an adequate understanding of what the law actually is.”
With such a major emphasis of evidencing compliance, it’s important that schools can also demonstrate that the whole school is on board when it comes to data protection.
“Part of the process of becoming compliant is to make sure that everybody has received adequate training,” says Williams. “Training needs to be sufficiently focussed and relevant to what people are doing day to day, so that they understand both the cyber security implications of their actions and the rules about the protection of personal data.”
Data Protection Officer (DPO)
Under the new law you must appoint a DPO if you carry out large-scale tracking of individuals or large-scale processing of special category data. It is possible for groups of schools, or MATs to share a DPO.
“Schools need to look at what suits their organisational structure,” says Williams. “If they are planning to use an external DPO, they need to make sure he or she has sufficient knowledge about the school to be able to properly advise and give tailored advice. Schools need to make sure that whoever they engage will have adequate resources and adequate time to meet the school’s needs.”
More on data protection officers
External third parties
Any relationships with third parties who handle personal data will need to have processing agreements (basically, transparent agreements about what happens to the data to ensure it is GDPR compliant) in place.
“In terms of any existing contracts, schools need to look at what they have in place and whether it is adequate,” says Williams.
Any contracts that do not contain the necessary provisions will need to be amended.
“That can be quite a significant job depending on how many processors you’ve got.”
What changes need to be made?
The key shift from the existing DPA is that simply processing data lawfully is now no longer sufficient.
“The big difference around GDPR is that it’s very much focused around being able to prove compliance,” says Toks Oladuti, director of information systems at an independent girls’ schools trust.
“[This] is going to introduce new record keeping that schools will need to do and slightly newer approaches to how they actually introduce new processing activities.”
Mapping data and having records of processing across all school systems is one of the biggest and most important changes from the DPA.
“Schools need to understand where their data is processed,” says Jonathan Harrex, DPO and information security specialist at thinkdpo.com. “They need to understand what they process, and whether that’s done internally or by a third party or by both. So they will identify how their data is processed and who does it and then they will be able to identify, as part of that, the technology that they process the data on and how that’s secured.”
Key changes for leaders:
Demonstrate compliance: schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.
Appoint DPO: schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations (more info below).
Processor agreements: for any third-party processors you must have contracts in place stipulating that personal data is handled in compliance with the GDPR.
Reporting a data breach: if personal data has been put at risk, you may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.
Staff training: despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and there is a culture of data compliance is crucial.
With the increased emphasis on accountability will come more pressure on leaders to ensure their staff receive the necessary training. Systems in place will also impact anyone who handles personal data, even if that’s an attendance register.
Key changes for teachers:
Reporting a breach: teachers must understand what constitutes a breach and, if they suspect a breach has occurred, report it to their DPO.
Introducing new systems: if teachers want to introduce a new piece of subject-specific software or use any new processing system there needs to be a clear process in place to inform the DPO and ensure it is done compliantly.