• Contact Us

Five Key Risks Around GDPR Compliance

on Monday, 09 October 2017.

Following the volume of news and commentary surrounding the impending introduction of the General Data Protection Regulation (GDPR) in May 2018, it should come as no surprise that the pressure is now on schools to ensure they are prepared in time.

There are five key areas of risk for schools: 

  1. accountability - including keeping a record of compliance
  2. information security
  3. transparency
  4. data subject rights - these are increased and strengthened under the GDPR
  5. marketing and fundraising

These areas are largely linked so a risk mitigated in one area can go a long way to guard against risks in another. For example, having documentation regarding your practices, such as policies for staff, is helpful for keeping personal data secure and will also help with accountability.

Accountability

Perhaps one of the most striking differences between the GDPR and the current Data Protection Act (DPA) is that compliance with the legislation will not be enough. You will also be expected to 'demonstrate' your compliance and show that data protection and information security are built into your practices. Some key mechanisms for demonstrating compliance include: 

  • having a record of processing activities which is required by the GDPR

  • recording any consents received (although your school will only rely on consent in limited circumstances)

  • implementing robust data protection policies and training for staff

  • making data protection and privacy considerations integral to any decision involving the handling of personal data and documenting this (privacy by design and privacy by default)

  • carrying out Data Protection Impact Assessments before starting to use personal data in a 'high risk' way

Information Security

Your school should have robust measures in place to keep personal data secure which links to the accountability requirement above. Having staff training and policies, considering data protection when taking decisions involving personal data, and carrying out Data Protection Impact Assessments are essential for keeping personal data secure. Your IT team should put in place technical measures to guard against risks.

Certain data breaches must be reported to the Information Commissioner's Office and to affected individuals. Having a data breach policy and procedure to be followed in the event of a breach or suspected breach is highly recommended

Transparency

Under the DPA, individuals must be given information about how your school uses their personal data. This information is usually provided in a document known as a privacy or transparency notice. More information must be provided in these notices under the GDPR compared to the DPA. Clear and plain language should be used, especially where addressed to children (as will be the case for most schools' pupil privacy notices). We have updated our template privacy notices for staff, parents and pupils in light of the GDPR.

Data Subject Rights

Individuals are given stronger and additional rights under the GDPR. New rights include the right to data portability and the right to be forgotten. Subject access requests will also be more onerous to respond to, for example, because the time period for responding is one month in most cases and additional information must be provided such as the right to lodge a complaint with the ICO.

Staff should be trained to recognise when a right is being exercised due to the strict timescales for compliance. Your school should be able to locate personal information easily in response to subject access requests and data portability requests.

Marketing and Fundraising

Marketing and fundraising communications are subject to their own special rules. In particular, consent must be obtained before sending certain communications by electronic means, eg by emails. With the more restrictive definition of consent introduced under the GDPR, you will need to check that any consents being relied on meet the more onerous requirements.

Where Do I Start?

Preparing for GDPR compliance can be a bit daunting and some schools are unsure of what to do first.

A first step should always be to carry out an audit on the personal data you hold. This should enable you to have a firm grasp on your data flows so that you can begin to tackle the areas outlined above. We have a free template which schools can use as a starting point for the audit process.

As part of an audit, you should also review your parent contract documentation to ensure that it is compatible with requirements of the GDPR.


If you would like a copy of the template audit, information about privacy notices or if you would like to discuss how we can assist with your preparations for the GDPR, please contact Andrew Gallie, in our Data Protection team, on 0117 314 5623 or Claire Hall on 0117 314 5279.

For further information about how we may assist in revising your parent contract, please contact John Deakin on 0117 314 5335.