Archive

GDPR for Schools – Are You Ready?

GDPR for Schools
10th January 2018

The EU General Data Protection Regulation (GDPR) comes into force on the 25th May this year – your school will need to be ready to comply with this new regulation by this date, or risk significant fines.

What is GDPR?

In short, GDPR is a piece of legislation that aims to unify data protection for all EU nationals. Despite Brexit, British businesses and schools still need to comply with these requirements. This is the biggest update to data protection rules in 20 years, and a much-needed change to laws that were not suited to the current digital world.

It will be enforced by the ICO, and will provide new rights for people to:
1) Access information that companies hold on them
2) Understand how their data is managed
3) Provide specific consent for how and when their data is used and stored

Why it Matters for Schools

While all businesses are affected by GDPR to some extent, schools need to be particularly careful since they process and store data about children – a group who have specific protections under GDPR. The ICO recommend that you put systems in place to verify people’s ages and gather parental consent for data processing.

This is the first time that EU legislation has brought in special protection for children’s personal data. If your school collects data on children under the age of 13, you need specific parental consent to process their data. This consent needs to be clear, specific, and verifiable, as well as being written in a way that all users (including children) will understand.

What Steps Should My School Take?

Every school and business should get independent, legal advice on their unique situation and data processing and storage environments. However, there is some general advice that has been dispensed by the ICO and other organisations to help people prepare for GDPR.

Educate

You will need to educate both internal stakeholders and website visitors about rights and requirements related to GDPR. Internally, you will need to make sure that decision makers and key staff know about GDPR, the likely changes that will come into effect, and the impact this will have on your school.

Externally, you will need to update notices on your website regarding privacy and data processing to ensure that it reflects your new GDPR-compliant policies. This includes letting people know in very plain and simple English what you will be doing with their data (such as when they submit a contact form) and giving them the option to opt out of things like marketing activities. Pre-ticked boxes and assumed consent are no longer acceptable after May 25th. Proper consent is at the heart of GDPR and it is essential that you gain this every time that a user submits information – this consent may need to be given by parents/guardians rather than children, depending on the age and your website.

Audit

Your school will already have a large repository of information regarding potential, existing, and past pupils, and perhaps even information on people who requested prospectuses or attended open days many years ago but never actually joined your school. You will need to audit and document all of this personal data, where it came from, and who you share it with. You may need to delete a lot of information if there is no justifiable reason for keeping it, and should put processes in place to clean your data as and when it becomes unnecessary.

You will also need to ensure that data protection is built into your processes ‘by design’ and should carry out a data impact assessment. While many organisations do not need to do this or appoint a data protection officer if they have a small number of staff, schools process children’s information and will therefore be held to a slightly higher standard.

Secure

Once you know what information you hold and where you get new information from, it is essential that you ensure the information is secure from when you gain it through to how and when you delete it. This means you will also need to check with your data processors – this may be MailChimp, MIS, for Google – to ensure that they are GDPR compliant too. Many of these large companies are US-based but deal with individuals in the EU so they should be taking steps towards compliance. However, your data is your responsibility so the onus is on the school to ensure that this is done properly.

Maintain

Once you have taken the proper measures to gain consent, secure data, and update your policies, you will need to maintain them. This means dealing with subject access requests properly, cleaning old data, and deleting data as and when necessary. GDPR compliance is not a single step – it is an ongoing process for dealing with data and ensuring that it is kept as safe as possible for as long as you retain it.

Lets Get Started Contact Us
Latest News
The Rise of Zero-Click Content: What It Means for Marketers in 2025
In the evolving digital landscape, zero-click content is rapidly redefining how users interact with information online. By 2025, this trend is expected to dominate, making it a crucial consideration for marketers aiming to stay ahead. But what exactly is zero-click content, and how can businesses adapt to thrive in this...
What’s Next for SEO in 2025?
As we move into 2025, the world of search engine optimisation (SEO) continues to evolve at a rapid pace. With constant algorithm updates, advancements in AI, and shifts in user behavior, staying ahead of the curve is critical for marketers and businesses alike. Let’s explore the trends and strategies poised...
From Website Design to SEO: Key Areas to Optimise in 2025
As the digital landscape evolves, businesses must stay ahead of the curve to maintain their online presence. In 2025, website design and SEO (Search Engine Optimisation) will continue to play a pivotal role in shaping user experiences and search rankings. From user-centric designs to the latest SEO strategies, here’s a...