GDPR and the impact on Schools
What is the GDPR?
GDPR stands for the General Data Protection Regulation which comes into force on the 25 May 2018. While there are similarities with the existing Data Protection Act 1998, there are also new requirements for businesses and public bodies.
What are the new requirements for GDPR?
The GDPR builds on the existing framework but places greater emphasis on accountability and governance. It will be for all schools to appoint a Data Protection Officer (if they have not done so already) to oversee and manage the GDPR requirements.
Under GDPR the list of information required to be provided to individuals will increase significantly and will be split into cases where some information has to be communicated in all cases whilst a second subset of information has to be provided in other certain circumstances. The ways you deal with the different categories of information should be contained in the Privacy Notice.
Schools now have to give more thought to the legal basis for processing personal data. Whilst the grounds may broadly replicate those already set out in the DPA more thought has to be given to this as parents or children may have to be informed, and you have to explain your reasons in your Privacy Notice or your response to the Subject Access Request (SAR).
The process to follow when you receive a SAR is also changing, with the timescales reducing from 40 days to within one month in most cases. You can no longer charge for an SAR. However, manifestly unfounded or excessive requests can now be charged for or refused (but reasons for refusals have to be clearly set out in your policy).
What happens if my school fails to comply?
Failure to comply with GDPR can be catastrophic. There can be administrative fines levied up to 10 million euros or up to 2% of turnover, whichever is higher. Avoiding a potential fine is paramount to ensure the future of a school.
How we can help
We have a dedicated Education team who know and understand the impact of GDPR and can offer a Data Protection Officer Support Package. This includes support during a full Data Protection Audit, in which we help identify sources of data, legal reasons for the processing of data and the process flows of the processing of that data to show any potential ‘red flags’. We can also advise and redraft the Privacy Notice, Data Protection and Subject Access Request policies and the Parent Contract. We can also advise on Policy Impact Assessments (PIA).
The Data Protection Officer Support Package is a tiered package in which we charge per pupil. The cost per pupil at any stage will be less than a cup of coffee per pupil. This means that for any Multi Academy Trust or larger school we can offer savings via economies of scale based on the number of pupils on the roll.