What Are the GDPR Implications for Schools?
Mon 05 March, 2018
With less than 100 days until the new regulation comes into effect in May, it’s vital to make sure you’re up to date. But what is it, and what are the GDPR implications for schools? Rest easy, as we provide you with a breakdown GDPR guide for schools.
What is GDPR?
GDPR, simply, stands for The EU General Data Protection Regulation. Approved by European Parliament in April of 2016, the aim of GDPR is to replace the Data Protection Directive 95/46/EC, established way back in 1995, and before the digital world exploded. In Britain, this replaces the UK Data Protection Act of 1998 (created to align with the Data Protection Directive). In comparison with the older directive, the GDPR applies to all companies that process personal data (names, photos, emails, etc) within the union, including schools.
Crucially, one of the most important GDPR implications for schools is the strengthening of consent. Consent for using data must use clear language, and be in an easily accessible form. For those under the age of 16, parental consent will be required, although the EU acknowledges that member states may legislate for a lower age (as long as it is above 13).
Considering Britain’s exit from the European Union, however, it is most likely to remain at 16 in the UK. It is important to note that the EU advise the UK to follow the GDPR despite Brexit, as a UK bound alternative is likely to largely follow the same regulations.
Penalties for not following the GDPR
Not following the GDPR can lead to extreme financial punishments, up to 4% of annual global turnover, or 20 million euros. Schools will not face such an extreme, but there are various tiers to the penalties, depending on the severity of the offence.
How can schools prepare for the new regulations?
It is important to ensure that parents and staff understand the new regulations, and what it means for students’ data. A review may be required of your school’s current policies, and plans made for any possible changes.
As consent and transparency are at the heart of these new regulations, it’s important that the process for obtaining and recording consent is reviewed and adapted accordingly. It must also be ensured that when individuals withdraw their consent, their data is permanently erased. It’s important, too, to ask what systems are in place to verify the age of individuals, and to first obtain this consent. If they appear unclear, they may need to be changed.
If there is a data breach, it is important that subjects who have their personal data processed are notified as soon as the breach is noted. Moreover, the breach must also be reported to the relevant authorities within 72 hours of it being discovered.
To ensure compliance, a designated Data Protection Officer is an important addition to your school, as is an accredited Data Processor, who is also aligned with GDPR obligations and IT asset disposal. Finally, an e-safety policy to ensure your compliance would also be of use to you and your school.
UPDATE: August 2019
On the 25th May 2018, GDPR came into effect, replacing existing data protection legislation. Over a year on, we take a look at three key implications GDPR has had for schools.
Increased Data Protection Awareness
Since GDPR came into effect, it has become increasingly important for schools to understand what constitutes personal data. Can the data you hold identify an individual? Where has this data come from? Who has access to it? It is paramount that the staff within your school are aware of these questions and can identify potential breaches and escalate them accordingly. Sufficient training must be provided to foster a culture of data compliance.
New Staff Member: Data Protection Officer (DPO)
Under GDPR legislation, all schools must have an appointed Data Protection Officer in order to review and maintain compliance. The DPO can either be an internal position or an external party covering several schools. It is the responsibility of the DPO to possess expert knowledge of data protection regulations in order to assist the school with all data practices and act as a central point for any queries or concerns.
Third-Party Processor Agreements
One of the most important areas that schools have had to focus on is their relationship with third parties. Since GDPR came into effect, any external parties that handle personal data must also be GDPR compliant and have a transparent agreement in place with the school regarding the handling of data. This is the case for both new contracts (that began after May 2018) and existing contracts (that were in place before GDPR). In this instance, schools are required to amend existing contracts to ensure they meet necessary compliance regulations.