What does GDPR mean for schools?

This news may make us feel like the erstwhile Harold Lloyd strapped to a railway line, schools are in a much better position to comply with the changes associated with GDPR than they might think.

To start with, it’s important to realise that GDPR represents an evolution in existing data protection practice and not a wholesale change in how we manage data in schools. The principles of the existing Data Protection Act are not being overturned, rather the role of GDPR is to ensure that data is protected and to give individuals more control over their data.

But, there are some enhancements to existing protections and it also means schools will have greater accountability for the data they hold:

• Under GDPR, consent must be explicitly given to any use of personal data that isn’t within the normal business of the school, especially if it involves a third party processing the data. Parents must express consent for their child’s data to be used outside of the normal business of the school, and same for students depending on their age.
• Schools must be able to prove that they are GDPR compliant.
• Schools must ensure that their third party suppliers who may process any of their data are GDPR compliant, and they must have legally binding contracts with any company that processes personal data. These contracts must cover what data is being processed, who it is being processed by, who has access to it and how it is protected.
• It will be compulsory that all data breaches which are likely to result in a high risk of adversely affecting individuals’ rights and freedoms are reported to the ICO within 72 hours.

Crucially, whilst schools are already managing significant amounts of data regarding their students, parents and staff, the new regulations will mean more accountability, tougher penalties and a greater need for evidence of compliance.

Whilst many schools already have a robust data protection policy in place and have protocols to respect individuals’ rights, they will need to be able to demonstrate their compliance with the regulations. As schools prepare for the new regulations, some thoughts that they may wish to bear in mind are:

1. Work out what’s new about the regulations - a significant aspect of GDPR is the fact that schools not only need robust processes and controls, but also need to be more proactive in demonstrating them. There are also more things considered as sensitive data, and the bar is raised on where individuals should have transparency and choice about where their data goes.
2. Understand your school's data - any school should be on top of protecting sensitive data - know where it is stored, where it goes, and what is done with it. Take some time to draw up a picture of what data you hold, looking at where and how it’s used.
3. Focus on why this is important - whilst it is true that GDPR compliance is a legal requirement, for most schools the focus should be on that word ‘Protection’. It’s about keeping sensitive data about young and sometimes vulnerable children safe.

So where do schools go from here?

There is a plethora of information on GDPR available, but much of it is difficult to digest or too general in its scope to be of much use to schools. A good starting point is the Information Commissioner's Office (ICO) with its Overview of GDPR and the GDPR: 12 steps to take now guide. And, there are steps that schools can take immediately to start to ensure that they are ready for compliance:

• Ensure senior management team fully understand GDPR and its potential impact.
• Schools should document and review all of the personal data they hold, including data for students, staff, parents, suppliers and governors.
• Consider the personal data processed and ensure everyone understands how it is collected, where it came from, what it is used for and what risks are posed by its use (or misuse).
• Schools should make sure that all staff are trained according to their roles and responsibilities. This should include general GDPR awareness training for all staff as well as more detailed training for staff with relevant responsibility (e.g. Head Teacher, Deputy Head Teacher, Data Protection Officer).
• Schools should already have systems in place that verify individuals’ ages and gather parental consent for data processing where required.
• An important area for schools is to identify ALL software being used within the school. Recent developments in apps for education have led to many teachers downloading apps and using these in their classrooms with good intent, but without wider consideration of the implications regarding GDPR. Schools need to know what is being used, for what purpose and what personal data is involved so that they can ensure these apps are compliant.
• For the purposes of data protection and GDPR, schools are classified as a public authority and so they must assign a Data Protection Officer. It is important to consider where this role will sit in line with the school’s structure and governance arrangements, and it is mandatory that they must report to the highest management level of the school.

In some respects, preparing for GDPR is a bit like getting ready for a school inspection visit -  possibly not the most encouraging analogy I admit, but bear with me for a moment! As a school you know what you are doing to bring about the best outcomes for your students, but an inspection requires you to have appropriate evidence to demonstrate this.

Schools are already well practised in handling personal and sensitive data, and will have most of the necessary policies and processes in place to do so safely. Like inspection, GDPR requires us to be able to evidence the procedures we have in place and is a chance to make sure that the steps we are taking are still appropriate and effective.

Finally, I must stress that this article does not constitute legal advice. I recommend reading this post alongside the ICO guidance or articles from specialists such as the Department for Education.