There are five key areas of risk for schools:
These areas are largely linked so a risk mitigated in one area can go a long way to guard against risks in another. For example, having documentation regarding your practices, such as policies for staff, is helpful for keeping personal data secure and will also help with accountability.
Perhaps one of the most striking differences between the GDPR and the current Data Protection Act (DPA) is that compliance with the legislation will not be enough. You will also be expected to 'demonstrate' your compliance and show that data protection and information security are built into your practices. Some key mechanisms for demonstrating compliance include:
having a record of processing activities which is required by the GDPR
recording any consents received (although your school will only rely on consent in limited circumstances)
implementing robust data protection policies and training for staff
making data protection and privacy considerations integral to any decision involving the handling of personal data and documenting this (privacy by design and privacy by default)
carrying out Data Protection Impact Assessments before starting to use personal data in a 'high risk' way
Your school should have robust measures in place to keep personal data secure which links to the accountability requirement above. Having staff training and policies, considering data protection when taking decisions involving personal data, and carrying out Data Protection Impact Assessments are essential for keeping personal data secure. Your IT team should put in place technical measures to guard against risks.
Certain data breaches must be reported to the Information Commissioner's Office and to affected individuals. Having a data breach policy and procedure to be followed in the event of a breach or suspected breach is highly recommended
Under the DPA, individuals must be given information about how your school uses their personal data. This information is usually provided in a document known as a privacy or transparency notice. More information must be provided in these notices under the GDPR compared to the DPA. Clear and plain language should be used, especially where addressed to children (as will be the case for most schools' pupil privacy notices). We have updated our template privacy notices for staff, parents and pupils in light of the GDPR.
Individuals are given stronger and additional rights under the GDPR. New rights include the right to data portability and the right to be forgotten. Subject access requests will also be more onerous to respond to, for example, because the time period for responding is one month in most cases and additional information must be provided such as the right to lodge a complaint with the ICO.
Staff should be trained to recognise when a right is being exercised due to the strict timescales for compliance. Your school should be able to locate personal information easily in response to subject access requests and data portability requests.
Marketing and fundraising communications are subject to their own special rules. In particular, consent must be obtained before sending certain communications by electronic means, eg by emails. With the more restrictive definition of consent introduced under the GDPR, you will need to check that any consents being relied on meet the more onerous requirements.
Preparing for GDPR compliance can be a bit daunting and some schools are unsure of what to do first.
A first step should always be to carry out an audit on the personal data you hold. This should enable you to have a firm grasp on your data flows so that you can begin to tackle the areas outlined above. We have a free template which schools can use as a starting point for the audit process.
As part of an audit, you should also review your parent contract documentation to ensure that it is compatible with requirements of the GDPR.