Well it is clear that the manner in which schools should implement the GDPR will continue to evolve.
The Information Commissioner (ICO) will continue to release guidance regarding GDPR implementation, and we can also expect advice to schools to be updated once the first court cases on the GDPR are published.
Best practice will develop as schools wrestle with the application of the GDPR in practice and the DfE will release the updated version of their GDPR toolkit for schools.
One recent but significant update already made by the ICO is that a subject access request (SAR) can be made verbally, and does not need to be in writing, as previously understood.
It is important that your staff are alert to this and trained to recognise what might constituted a SAR. This does create scope for individuals to assert that the clock is ticking from when a verbal request is made, or assert a breach if a request for personal information is not recognised or acted upon. We believe it is reasonable to ask individuals to confirm their request in writing, which enables clarity on the scope of any request and the timescale for a response.
We appreciate that the uncertainty and amount of change is frustrating and burdensome. It means that although most schools have published their privacy notices and policies, these documents are likely to be subject to changes over the coming months. We will help schools make the judgment as to how often the updates should be made - balancing strict adherence with the need to avoid bombarding staff and parents with minor changes.
Our suite of data protection policies and privacy notices are tailored specifically for use by independent schools and address issues that commonly arise.
The Data Protection & GDPR module of our Compliance Toolkit has been specifically designed to help you keep on top of changes and how these should be actioned in policies and procedures.