School IT Blog

What Are the GDPR Implications for Schools?

Mon 05 March, 2018

With less than 100 days until the new regulation comes into effect in May, it’s vital to make sure you’re up to date. But what is it, and what are the GDPR implications for schools? Rest easy, as we provide you with a breakdown GDPR guide for schools. 

What is GDPR? 

GDPR, simply, stands for The EU General Data Protection Regulation. Approved by European Parliament in April of 2016, the aim of GDPR is to replace the Data Protection Directive 95/46/EC, established way back in 1995, and before the digital world exploded. In Britain, this replaces the UK Data Protection Act of 1998 (created to align with the Data Protection Directive). In comparison with the older directive, the GDPR applies to all companies that process personal data (names, photos, emails, etc) within the union, including schools. 

Crucially, one of the most important GDPR implications for schools is the strengthening of consent. Consent for using data must use clear language, and be in an easily accessible form. For those under the age of 16, parental consent will be required, although the EU acknowledges that member states may legislate for a lower age (as long as it is above 13). 

Considering Britain’s exit from the European Union, however, it is most likely to remain at 16 in the UK. It is important to note that the EU advise the UK to follow the GDPR despite Brexit, as a UK bound alternative is likely to largely follow the same regulations.

Penalties for not following the GDPR

Not following the GDPR can lead to extreme financial punishments, up to 4% of annual global turnover, or 20 million euros. Schools will not face such an extreme, but there are various tiers to the penalties, depending on the severity of the offence. 

How can schools prepare for the new regulations? 

It is important to ensure that parents and staff understand the new regulations, and what it means for students’ data. A review may be required of your school’s current policies, and plans made for any possible changes. 

As consent and transparency are at the heart of these new regulations, it’s important that the process for obtaining and recording consent is reviewed and adapted accordingly. It must also be ensured that when individuals withdraw their consent, their data is permanently erased. It’s important, too, to ask what systems are in place to verify the age of individuals, and to first obtain this consent. If they appear unclear, they may need to be changed.

If there is a data breach, it is important that subjects who have their personal data processed are notified as soon as the breach is noted. Moreover, the breach must also be reported to the relevant authorities within 72 hours of it being discovered. 

To ensure compliance, a designated Data Protection Officer is an important addition to your school, as is an accredited Data Processor, who is also aligned with GDPR obligations and IT asset disposal. Finally, an e-safety policy to ensure your compliance would also be of use to you and your school.

Click here for further information on GDPR in schools. It's important you can go into the future feeling safe and confident that you understand the GDPR implications for schools. If you have any questions, please feel free to get in touch with us.