GDPR for Schools – Are You Ready?
The EU General Data Protection Regulation (GDPR) comes into force on the 25th May this year – your school will need to be ready to comply with this new regulation by this date, or risk significant fines.
What is GDPR?
In short, GDPR is a piece of legislation that aims to unify data protection for all EU nationals. Despite Brexit, British businesses and schools still need to comply with these requirements. This is the biggest update to data protection rules in 20 years, and a much-needed change to laws that were not suited to the current digital world.
It will be enforced by the ICO, and will provide new rights for people to:
1) Access information that companies hold on them
2) Understand how their data is managed
3) Provide specific consent for how and when their data is used and stored
Why it Matters for Schools
While all businesses are affected by GDPR to some extent, schools need to be particularly careful since they process and store data about children – a group who have specific protections under GDPR. The ICO recommend that you put systems in place to verify people’s ages and gather parental consent for data processing.
This is the first time that EU legislation has brought in special protection for children’s personal data. If your school collects data on children under the age of 13, you need specific parental consent to process their data. This consent needs to be clear, specific, and verifiable, as well as being written in a way that all users (including children) will understand.
What Steps Should My School Take?
Every school and business should get independent, legal advice on their unique situation and data processing and storage environments. However, there is some general advice that has been dispensed by the ICO and other organisations to help people prepare for GDPR.
You will need to educate both internal stakeholders and website visitors about rights and requirements related to GDPR. Internally, you will need to make sure that decision makers and key staff know about GDPR, the likely changes that will come into effect, and the impact this will have on your school.
Externally, you will need to update notices on your website regarding privacy and data processing to ensure that it reflects your new GDPR-compliant policies. This includes letting people know in very plain and simple English what you will be doing with their data (such as when they submit a contact form) and giving them the option to opt out of things like marketing activities. Pre-ticked boxes and assumed consent are no longer acceptable after May 25th. Proper consent is at the heart of GDPR and it is essential that you gain this every time that a user submits information – this consent may need to be given by parents/guardians rather than children, depending on the age and your website.
Your school will already have a large repository of information regarding potential, existing, and past pupils, and perhaps even information on people who requested prospectuses or attended open days many years ago but never actually joined your school. You will need to audit and document all of this personal data, where it came from, and who you share it with. You may need to delete a lot of information if there is no justifiable reason for keeping it, and should put processes in place to clean your data as and when it becomes unnecessary.
You will also need to ensure that data protection is built into your processes ‘by design’ and should carry out a data impact assessment. While many organisations do not need to do this or appoint a data protection officer if they have a small number of staff, schools process children’s information and will therefore be held to a slightly higher standard.
Once you know what information you hold and where you get new information from, it is essential that you ensure the information is secure from when you gain it through to how and when you delete it. This means you will also need to check with your data processors – this may be MailChimp, MIS, for Google – to ensure that they are GDPR compliant too. Many of these large companies are US-based but deal with individuals in the EU so they should be taking steps towards compliance. However, your data is your responsibility so the onus is on the school to ensure that this is done properly.
Once you have taken the proper measures to gain consent, secure data, and update your policies, you will need to maintain them. This means dealing with subject access requests properly, cleaning old data, and deleting data as and when necessary. GDPR compliance is not a single step – it is an ongoing process for dealing with data and ensuring that it is kept as safe as possible for as long as you retain it.