The General Data Protection Regulation (GDPR) is just around the corner - coming into force on 25 May 2018. It will be the biggest reform of data protection laws for 20 years and brings with it a raft of changes and new obligations which will impact on all schools.
We would strongly suggest that all schools review their preparations for the GDPR and step them up if necessary. The Information Commissioner’s Office (ICO) has published guidance on the kind of things that all schools should be doing to prepare.
What steps should schools be taking to prepare for the new GDPR?
Research and education
GDPR has been in the news for a while now, but you should you ensure you have the correct and most up-to-date information. Also find out exactly how it is likely to affect your school and share this information to key people within the school. Organise training sessions as necessary.
Data Protection Officer
Decide whether you should appoint a Data Protection Officer (or whether you will appoint one voluntarily) and put the necessary steps in place to recruit the appropriate person, if required. Remember that there may be a lot of schools looking for Data Protection Officers in advance of the implementation of the GDPR.
Look at your school and carry out a careful audit of the personal data that you hold, how you came about it, what you do with it and on what basis. If you are relying on consent as the basis for processing any data, then you need to review this carefully as the GDPR makes relying on consent much more difficult than under the previous legislation.
Look carefully at your ICT and data management systems and decide what steps need to be taken to change or upgrade those systems. Leave enough time to test and implement any necessary changes and upgrades ahead of 25 May 2018.
Review your privacy notices and policies
The GDPR sets out a list of mandatory information which you must give to all the data subjects on which you hold data and this would need to be reflected in your practices.
Your school is likely to use suppliers to process information on your behalf. Your contracts with these people/organisations will need to be reviewed and will need to be brought in to line with the GDPR, which sets out several things that must be present in these contracts.
The GDPR brings with it obligations to report breaches to both the ICO and to the affected data subjects – you will need to have procedures in place to comply with that.
Document all the steps you take
The GDPR places a great emphasis on accountability and compliance. It is important not only to comply but to show that you are complying.
While GDPR is close at hand, do not worry we are too! Our specialist HR team can provide the following GDPR service:
- Initial pre-audit questionnaire
- On-site meeting with our specialist expert
- Interviews with nominated staff
- Practical advice and guidance
- A GDPR Audit
- A written report and recommendations
Our GDPR Audit assesses how well your school is complying with your data protection obligations, which includes:
- Accountability & Governance
- Processes & Procedures
- Data Protection Officer Role