What does the General Data Protection Regulation (GDPR) mean to those in education? Education Business caught up with some experts from the GDPR Advisory Board to grill them about the regulation’s impact and what schools need to be doing before May
The General Data Protection Regulation (GDPR) is the European Union’s new regulation on data and cyber-security. It’s designed to strengthen data protection for everyone, and that includes children and their families. It comes into force on 25 May 2018, which means schools have less than a term to ensure compliance.
Nick Richards, CEO of GDPR training provider Me Learning and member of the GDPR Advisory Board, explains the rationale behind the new law: “GDPR brings European data protection laws up to date with the modern technological age and replaces the 1998 Data Protection Act (DPA). It has a much greater emphasis on consent (ensuring that families agree to schools holding students data) and the documentation data controllers must keep (maintaining good records of data storage).”
Nick explained who should be aware of the changes within the school staffing community and how best to implement it: “All staff – from your caretaker, to the dinner ladies, to the teachers – must be GDPR aware so that any personal data is handled in an appropriate way. Online training is a great way to implement this in a cost effective, but efficient way. There are a number of good courses available.
Try www.melearning.co.uk/gdpr for a selection. The Practitioner course is ideal for the person taking charge of GDPR compliance within the school, whilst the Core (soon to be updated to staff) course is suitable for the wider school staffing community.”
A legal perspective
Piers Clayden of Clayden Law, another expert at the GDPR Advisory Board, shares some advice for schools from a legal perspective. He said: “Let’s cut to the chase. What five things do you think schools should be doing to make sure they are GDPR compliant?
“GDPR is vast but there are some very key elements that schools should be doing, such as demonstrating that they are taking data protection seriously – up-to-date policies, record keeping and staff training are all important elements of this.
“Schools should also be ensuring that the public-facing information notice reflects the reality of how the school actually does use and treat personal data behind the scenes. In addition schools need to ensure that it has proper organisational and technical measures and policies in place to keep personal data safe and secure – having a robust information security policy which is actually adhered to throughout the business is part of this.
“Schools should make sure that if they were to suffer a security breach (where personal data was accessed outside of the organisation without authorisation) it would be able report this to the regulator (the Information Commissioner’s Office) within 72 hours of becoming aware of this breach.
“Finally, schools need to be making sure that, where personal data is processed on your behalf by an external organisation, contracts are in place that meet the requirements of the GDPR.”
Explaining what information the GDPR applies to Piers says: “GDPR will apply to schools in respect of any personal data (that is, any information which relates to an identified or identifiable living person) – so that includes, pupils, alumni, parents, teachers, support and admin staff, governors and trustees.”
Data Protection Officer
Do schools need to appoint a Data Protection Officer? Piers explains the requirements: “Having a data protection officer (DPO) is a mandatory requirement for public authorities and so where schools are “public authorities” then they will need to have one. Even if not a public authority, given that a DPO is also mandatory for organisations that carry out systematic and regular monitoring of data subjects on a large scale, it is likely that a school would nevertheless fall within this category.
“A DPO can certainly be a shared appointment with other schools. What is important is that the person is independent (free from any conflict of interest with the school) and also close enough to the school to know what is going on there from a data protection point of view.”
How will GDPR effect child data?
Talking specifically about how the GDPR will effect child data, Piers commented: “Whilst the GDPR and regulator guidance makes it clear that personal data on children is worthy of special attention since they are potentially “vulnerable”, on one level, the data protection principles that apply to the processing of children’s personal data by schools have not changed particularly from the current regime under the Data Protection Act.
“For example, fair and lawful processing, data retention, accuracy and ensuring that information is kept in a secure way are all the same.
“However, what has changed is that schools will need to develop much more robust and extensive record keeping processes to show exactly how they are complying with the GDPR (ie being accountable). Staff training is a big part of showing “accountability”.
“Also, schools will need to develop new processes to enable them to deal with the new enhanced rights that children have over their personal data. For example dealing with the so-called “right to be forgotten”.
“Finally, schools have to be transparent over how they handle personal data and inform children in a way they can understand.”
How can schools store their data securely?
Professor Alfred Rolington is a highly regarded cyber security expert with the GDPR Advisory Board. He lectures at Oxford University and has written a number of books on the issue. He shares some useful cyber security tips to aid the GDPR compliance process. He said: ”Schools should ensure they have an effective endpoint, network and email protection that filters out spam, malware and dangerous file types.
“It is also very important to continue to train all staff to be wary of emails, especially those that contain attachments, and to report any unusual emails or attachments. Malware hacks will vary from different attackers – and they will become more sophisticated. On-going training for employees and management is very necessary. Segregate your networks with next-generation firewalls so that your internal departments are separated. Install endpoint protection software that can identify and block infections in and going to your systems.
Alfred added: “Make sure you implement full disk protection and encrypt sensitive data stored on servers, or removable media. Particularly those used for sharing with school partners.
“Make parents aware of your cyber security efforts and the training you give to staff as this will give them more confidence in how you are handling their children’s personal information.
“And if you move to the cloud make sure that the ability to encrypt the data, both in the cloud and also when being transferred, is properly dealt with.”
The GDPR Advisory Board also advises that there should be irregular security cyber audits that should identify and help to improve and patch system vulnerabilities and that there should be a record kept of all activity and this should be monitored for suspicious and irregular activity.
GDPR might feel daunting but handled well this is a great opportunity for schools to sense check the personal data they hold and manage it in an efficient way moving forward.
If you have any further questions, please get in contact with the GDPR Advisory Board directly, or for GDPR training co‑written by legal experts at Clayden Law, visit www.melearning.co.uk/gdpr. L