School IT Blog

​General Data Protection Regulation, or GDPR

Tue 12 December, 2017

General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. This will affect schools as well.

So what is GDPR?
The GDPR is Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon.
GDPR will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customers.
Under current legislation you already have a duty of care to ensure that this data is kept safe and secure. And with the GDPR coming into effect you’ll have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.
Whilst you may see some similarities between the GDPR and the DPA, there will be some significant differences that will have a real impact on the way data is handled and ultimately affect the way you manage information in your school:
• Penalties – under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater) for both the Data Controller (i.e. you) and anyone else involved in the chain such as the Data Processors (i.e. your recycling partner). That’s a hefty price to pay for not following the rules!
• Contracts – whilst it’s good practice to show due diligence when choosing an IT recycling partner, there’s currently no formal obligation to have a contract in place with your chosen Data Processor. But this is all set to change. Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen partner.
• Data Processors – under the GDPR it will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets (i.e. your server).

Related article: What Are the GDPR Implications for Schools?

What you need to do before May. Have an e-safety policy in place Putting a clearly defined e-safety policy in place is vital in ensuring that all key stakeholders know what needs to be done to remain compliant when the GDPR comes into effect. It also helps to protect not only your students but also all of the data that’s held on the systems within your school. An e-safety policy can help keep everything safe against any occurrence – be it malicious attacks on your network, viruses, phishing, or even the way your end of life hardware is being destroyed.

Ofsted will come down hard on any institution that doesn’t have the correct policies and procedures in place. Best practice is to find a suitable partner who can help you manage all of that in a safe, secure and compliant way – or better yet can do it all for you! Train your staff in data protection. All staff that have access to personal data should receive mandatory basic data protection training and key staff that need to know more should get enhanced training. Keep records of who has received training and when and ensure that those staff who didn’t attend (for whatever reason), get trained as well.

Appoint a Data Protection Officer Carry out a data protection audit so you have a map of your personal data flows already in place when GDPR goes live. For more information follow these links:

By Anna Mead