GDPR in Schools – How does affect them?
From 25th May 2018, GDPR has been a key issue in schools. The Data Protection Act was replaced by the General Data Protection Regulation (GDPR) – meaning that the way you manage all data and information within your school must change.
Stuffing paper into filing cabinets, keeping records and databases of student and staff information, monitoring what’s happening day-to-day on the premises through CCTV – today’s educational landscape is packed with data.
Under current legislation you already have a duty of care to ensure that this data is kept safe and secure. And with the GDPR coming into effect, not only in schools but organisations across Europe, you have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.
Non-compliance can currently see fines of up to £500,000 being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being seriously affected if there isn’t correct policies and procedures in place when it comes to data and IT security.
As such, the ICO are urging educational providers to think about the impact the GDPR now has on them and to implement robust policies and practices accordingly.
But what actually is it, exactly how does GDPR affect schools and what should you be doing about it?
Let’s take a look:
GDPR – what is it?
Put simply, the GDPR is a data protection regulation that’s designed to strengthen and unify the safety and security of all data held within an organisation.
It entirely replaces the Data Protection Act, making radical changes to many previous data protection rules and regulations that many organisations such as schools, academies and other educational establishments were obliged to adhere to under the DPA.
How does GDPR affect schools?
Whilst you may see some similarities between the GDPR and the DPA, there are some significant differences that will have a real impact on the way data is handled and ultimately affect the way you manage information in your school.
Here’s just a few of the key things to watch out for:
Under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater) for both the Data Controller (i.e. you) and anyone else involved in the chain such as the Data Processors (i.e. your recycling partner). That’s a hefty price to pay for not following the rules!
Whilst it’s good practice to show due diligence when choosing an IT recycling partner, there used to be no formal obligation to have a contract in place with your chosen Data Processor. But this has changed. Under the GDPR it is illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen partner.
Under the GDPR it is also a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.
So, what should you be doing to prevent non-compliance and hefty fines?
If previously you complied with the DPA then chances are you already have some strict policies in place. But this doesn’t mean that just because you complied with DPA regulation, you’re automatically going to be compliant under the new GDPR law.
Whilst a number of the GDPR’s main principles are similar to those in the Data Protection Act, as we’ve seen, there are inevitably some new elements and significant enhancements – meaning you may have to do some things differently.
As such, the ICO put together a guide on Preparing for the General Data Protection Regulation (GDPR).
They suggest a number of things you should now be doing:
Ensure that decision makers and key people in your school are aware that the DPA has now changed to the GDPR – they need to appreciate the impact it has and how the new legislation affects schools.
Information you hold
Organise an information audit and document what personal staff and student data you hold, where it came from and who you share it with.
Communicating privacy information
Review your current privacy guidance and put a plan in place for making any necessary changes for GDPR.
Check your current procedures to ensure they cover all the rights individuals have, including how you will delete personal data or provide data electronically.
Subject access requests
Update your procedures and plan how you’ll handle requests within the new timescales and provide any additional information.
Legal basis for processing personal data
Look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Review how you’re seeking, obtaining and recording consent and whether you need to make any changes.
Start thinking what systems you’re going to put in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Make sure you’ve got the right procedures in place to detect, report and investigate a personal data breach.
Data protection by design and data protection impact assessments
Begin to work out when to start implementing Privacy Impact Assessments into your school.
Data Protection Officers
Designate a Data Protection Officer or someone to take responsibility for data protection compliance.
As well as this, there are a few guidelines for best practice that we think could help you out too:
Have an e-safety policy in place
Putting a clearly defined e-safety policy in place is vital to ensure that all key stakeholders know what needs to be done to remain GDPR compliant.
It also helps to protect not only your students but also all of the data that’s held on the systems within your school. An e-safety policy can help keep everything safe against any occurrence – be it malicious attacks on your network, viruses, phishing, or even the way your end of life hardware is being destroyed.
We’ve seen that both the ICO and Ofsted come down hard on any institution that doesn’t have the correct policies and procedures in place. Best practice is to find a suitable partner such as DMC Canotec who can help you manage all of that in a safe, secure and compliant way – or better yet can do it all for you!
Choose the right partner
As we saw earlier, failure to bring on board a Data Processor that doesn’t meet the obligations set out by the GDPR can seriously impact schools.
Therefore, it’s equally as important as all the other points we’ve mentioned to make sure you’re choosing the right partner to work with when it comes to IT asset disposal. Working with an accredited Data Processor will ensure that any end-of-life data bearing equipment is disposed of and destroyed in a safe, secure and compliant way.
Partners such as DMC Canotec will also ensure there’s a legally binding contract or SLA in place to determine the formal processes involved.