Skip to main content

GDPR compliance and schools

By September 9, 2017December 5th, 2017No Comments

There’s no two ways about it – ensuring we as teachers comply with the regulations of the Data Protection Act is a serious matter. Surprisingly only a fifth of schools know that there has been reform on the Data Protection Act 1998 and schools have just until May 2018 to get compliant. Experts have said that the new rules constitute the biggest change to how personal information should be processed in the last 25 years. It has always been a shock to me when I visit schools and people don’t know who the ‘data controller’ is. Data should be something that all school leaders have a very serious handle on.

For the avoidance of doubt, there are fines attached to non-compliance and with the new regulations the maximum fine for certain data breaches in the UK will rise from £500,000 to €20 million (or 4% of your annual turnover – whatever the greater is).

Whilst that all sounds a bit scary it important to note that the GDPR (General Data Protection Regulations) are very similar to the current regulations, so if you have a handle on that then you are very likely to be able to transition to GDPR more easily.

The GDPR does introduce a step change in data protection legislation. The new legislation is designed to deal with the challenges of the online world and the data flows that occur in that world. The GDPR enhances existing rights and gives new rights. It puts greater obligations on to data controllers and they will have to now take further steps to demonstrate their accountability under the new regulations.

Some areas you may need to consider include:

  • Contracts
  • IT systems
  • Personnel changes
  • Governance

The ICO (Information Commissioners Office) have given lots of guidance and support around the GDPR.

  1. Awareness
  2. Considering the personal information you hold
  3. Communicating privacy notices
  4. Individuals’ rights
  5. Data Subject access requests (you will no longer be able to charge for this)
  6. Legal basis for processing
  7. Review of consent – unambiguous and explicit
  8. Children and handling their data – parental consent changes, potentially to age 13. Consent must also be verifiable – ie it should be on record, audited and be able to be produced upon request
  9. Preparing for data breaches
  10. Data protection by design
  11. Data protection officers
  12. International

More explanation of these steps can be found in this video from the ICO:

The following video which focuses specifically on GDPR and how it will impact upon schools is particularly useful:

As mentioned in my list above, the GDPR has new provisions designed to develop the protection of children’s personal data. The includes ensuring that the privacy notices mentioned above must be written in a clear way which a child would understand.

The GDPR also states that parental/guardian consent for access to online services is required. It will be important to find out whether the online services you use are handling the data of your children correctly. Parental consent will not however be required where processing of that data is related to services such as counselling for the child. It will be important that you check whether or not your third party suppliers (and this could be from IT systems, to the apps being used on devices in your school that use personal data) are GDPR compliant. Chances are that your third party suppliers won’t be compliant yet as the deadline is May 2018 and like you, many are still working towards compliance. You should however be making sure that they are working towards that compliance and recording the audit the record of you having checked too. If your third party suppliers are not GDPR compliant then you will need to take steps to ensure compliance in relation to your data subjects.

So what?

Whichever way you look at it, the GDPR are going to be coming into force in May 2018 and so you still have time to plan, get sorted and get compliant. This goes for you too if you run your own website or blog. You’re collecting data there too if you track views, use cookies, have signup forms, so forth and so on. It’s worth exploring for all of you!

There are lots of resources available to help you, such as the videos above. The ICO have also provided lots of resources to help:

12 steps to take now

Getting ready for the GDPR – checklist

Overview of the GDPR

Privacy notices code of practice

The following link has some great blog posts from the ICO too on GDPR myths.

I also highly recommend watching this video from Tony Sheppard.

If you’d like some advice around GDPR and how you can tackle it in your school, then please get in touch.



Mark Anderson

Mark Anderson, @ICTEvangelist. Click here to learn more.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.