How will GDPR affect your school?

By now it’s hit you. The GDPR is here to stay. It made its grand appearance on the 25th of May, the date which was marked as a revolution in privacy.

Fact – Schools handle a large amount of personal data including information of students such as grades, medical information, contact details and so much more. Schools also hold information of prospective teachers, suppliers and loads of sensitive information which is considered to be gold in the world of data. Put simply, the GDPR will bring more focus on data protection. Schools are sitting on tons of personal data so you can safely assume that achieving compliance for any school will require the unconditional support from all staff, leaders, teachers, as well as support any staff the school may have.

6 major changes schools need to make
Schools are expected to have someone within the senior team who is entirely responsible for the GDPR and data protection in general. The selected candidate needs to have adequate resourcing and a solid understanding of what GDPR is, how the school functions and what the management of the educational entity has already implemented. Engaging an internal or external DPO is not enough though. Part of the process of becoming compliant is to make sure that everybody has received adequate training and that anyone working at your school has a solid understanding of what privacy is and what the GDPR is all about. Here are the top six major changes GDPR will bring.

1. New Recording Keeping
Mapping data and having records of processing across all school systems is one of the biggest and most important changes. Schools need to understand where their data is stored, how it is processed and whether it is done internally, by a third party or by both.

2. Demonstrating compliance
Schools need to document every system used to process personal data. They also need to map how this data is transferred to other systems or any third parties.

3. Appointing DPO
Schools must appoint a Data Protection Officer (DPO) to ensure that their school is fully compliant to the new regulations. The DPO may be an external third party.

4. Designing processor agreements
For any third-party processors schools must have contracts in place stipulating that personal data is handled in compliance with the GDPR.

5. Reporting a data breach
If personal data has been put at risk, schools may be required to inform the ICO, and in some cases, the individual at risk. This should be done within 72 hours of the breach being discovered.

6. Investing in staff training
Despite the best efforts of the DPO in using compliant processes, these are only as secure as the people using them. Making sure staff are trained and that there is a culture of data compliance is crucial.

So what will happen after 25 May 2018?

From 25th May, any data subject (meaning, someone whose data the school holds) can exercise certain rights with regards to their data. This means that a parent could ask for a school to produce all data it currently holds on their child, or a job applicant could ask you to erase all their details. Under the new law an individual could ask for their data in a portable form so they can pass it on to another organisation. The school would be legally obliged to carry out these requests within 28 days of the request being given.

While the new GDPR regulations will mean more accountability, tougher penalties and a greater need for evidence, many schools already have a robust data protection policy in place and already respect individuals’ rights and freedom.

One thing is for sure, the GDPR, is a data protection game-changer and TheStudentCampus team will guide schools each step of the way.