What is GDPR, and how will it affect your school?

Tuesday, 03 April 2018 | Written by PrimarySite

As of the 25th May 2018 the way you manage all information and data within your school will change.

The current DPA (Data Protection Act) will be replaced by the GDPR (General Data Protection Regulation); a new updated procedure designed to keep sensitive information safer than ever. So, let’s take a deeper look into what the updated GDPR includes, and how it will affect your school.

What is the GDPR (General Data Protection Regulation)?

The GDPR is simply a new, updated data protection regulation to be followed by schools and other organisations. The new regulation has been designed to further strengthen the safety and security of data that is held by an organisation. The GDPR has been introduced to ensure further that personal data is protected. Victoria Tuffill, Managing Director of data protection experts Data Compliant, said;

“DPR is the new European General Data Protection Regulation which is designed to do many things, of which two are most significant.

  1. It strengthens the rights of ordinary people like us, giving us back the power and control over our personal data and how it is used by those schools and other organisations to whom we provide it.
  2. It ensures that responsibility for protecting that data lies with the schools and other organisations who process it.

To achieve the above, GDPR requires everyone who processes personal data to demonstrate and provide evidence of compliance with the 6 Principles of GDPR.

GDPR is included in the upcoming UK’s upcoming Data Protection Act which is currently going through Parliament, so Brexit will make no difference to the need to comply.”

The 6 key principles of GDPR

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

What affect will the GDPR have on schools?

The GDPR will definitely affect the way schools, academies and trusts look after their information. It will now be even more crucial to ensure all information is handled in a secure, compliant manner.

One key thing to consider is making sure that all information on your school website is updated and reflects that you comply with the GDPR.

How to prepare for GDPR

Educate: With the GDPR roll-out looming it’s crucial to educate everybody within your school who handles data about the changes.

Help: There’s no shame in asking for help. Many Data Protection companies are already offering advice on how to prepare for the GDPR.

Understand: The more people within the organisation who have a thorough understanding of the GDPR the better. This way knowledge can be easily shared, and any necessary checks are made.

Current Policy: Take a look at your current IT policy. Your old policy will contain a lot of useful information that will help ensure GDPR compliance.

Change: As a result of GDPR your Privacy Policy will no doubt need updating. This is extremely important as it means nobody who’s data you have obtained will be left in the dark about how it is going to/can be used.

On Privacy Policies, Victoria Tuffill of Data Compliance added; “Getting your Privacy policies right is vital. Your privacy policy is the window through which the world can see how seriously you take the protection of their personal data.”

Prepare: This legislation is being taken very seriously and it is likely that you will face assessments to ensure that your policies have come into line with the rules. You will not be able to claim ignorance on this issue and it’s clear that everybody could face large fines.

Blog Categories