The General Data Protection Regulation (GDPR) will come into force in the UK in just over six month's time – on 25 May 2018. It will be the biggest reform of data protection laws for 20 years and brings with it a raft of changes and new obligations which will impact on all schools.
We would strongly suggest that all schools review their preparations for the GDPR and step them up if necessary. The Information Commissioner’s Office (ICO) has published guidance on the kind of things that all schools should be doing to prepare.
What steps should schools be taking to prepare for the new GDPR?
Research and education
Find out more about the GDPR and how it is likely to affect your school and share this information to key people within the school. Organise training sessions as necessary.
Data Protection Officer
Decide whether you should appoint a Data Protection Officer (or whether you will appoint one voluntarily) and put the necessary steps in place to recruit the appropriate person, if required. Remember that there may be a lot of schools looking for Data Protection Officers in advance of the implementation of the GDPR.
Look at your school and carry out a careful audit of the personal data that you hold, how you came about it, what you do with it and on what basis. If you are relying on consent as the basis for processing any data, then you need to review this carefully as the GDPR makes relying on consent much more difficult than under the previous legislation.
Look carefully at your ICT and data management systems and decide what steps need to be taken to change or upgrade those systems. Leave enough time to test and implement any necessary changes and upgrades ahead of 25 May 2018.
Review your privacy notices and policies
The GDPR sets out a list of mandatory information which you must give to all the data subjects on which you hold data and this would need to be reflected in your practices.
Your school is likely to use suppliers to process information on your behalf. Your contracts with these people/organisations will need to be reviewed and will need to be brought in to line with the GDPR, which sets out several things that must be present in these contracts.
The GDPR brings with it obligations to report breaches to both the ICO and to the affected data subjects – you will need to have procedures in place to comply with that.
The important thing is to document all the steps you take. The GDPR places a great emphasis on accountability and compliance. It is important not only to comply but to show that you are complying.
Finally, don’t panic – there is still just over six months to go but time is ticking. The GDPR is not going to go away and you need to be ready for it. With that in mind, we're holding a Data Protection Update on 25 January 2018 to help schools prepare. A specialist member of our HR team can also provide a GDPR Audit to assess how well your school is complying with your data protection obligations.