From education to employment

6 rules to follow to remain compliant post #GDPR implementation

For the past few months, GDPR has been a much talked about subject. So you will not have failed to notice that on the 25th May 2018, the General Data Protection Regulation (GDPR) became law in all European member states, including the United Kingdom, and has completely replaced the Data Protection Act 1998 (DPA).

However, whilst many organisations and educational settings took time to prepare for the implementation date, it doesn’t end there. The GDPR, like the DPA before it, will continue to be an important part of all planning and induction training.

Here are 6 rules to follow to ensure you remain compliant:

1. Notification of a breach

Under the GDPR, data controllers are under an obligation to maintain a breach register where all breaches, no matter how trivial, are recorded and monitored.

For serious data breaches, where the breach is likely to result in a ‘risk to the rights and freedoms of individuals’, the breach must be reported to the ICO within 72 hours of becoming aware of the breach.

Where there is a high ‘risk to the rights and freedoms of individuals’ as a result of the breach, the data subject must also be notified of the breach without undue delay.

2. Conduct Data Protection Impact Assessment (DPIA) also referred to as a Privacy Impact Assessment (PIA)

If any data system is being introduced that involves using personal information in a way it has not been used before, or new data is being collected for a new purpose, then a DPIA must be conducted.

DPIAs can help to identify and reduce the risk of harm when using personal data. The DPIA poses a series of questions designed to ensure that organisations are thinking carefully about the implications of a new system before it is implemented – this is called ‘privacy by design’.

Note: A guidance checklist and a template for conducting a DPIA are freely downloadable from the ICO.

3. Identify and support a Data Protection Officer (DPO)

The GDPR introduced a new role of Data Protection Officer which all public authorities and bodies, including all educational establishments, should have in place by now.

Following the 25th May, the Data Protection Officer should:

  • monitor compliance with the GDPR and other data protection laws, data protection policies, awareness- raising, training and audits.
  • maintain a breach register; liaising with the ICO regarding serious data breaches,
  • monitor Data Protection Impact Assessment (where needed).

The Data Protection Officer must have authority and be empowered to carry out their role and report to the highest management level in your organisation. The person appointed cannot be disciplined for carrying out their role or disregarded or dismissed because the people at the top don’t want to do it.

To ensure your organisation remains compliant, Data Protection should be on the agenda at all high level monthly organisational meetings.

4. Formalise relationships with data processing suppliers

Under the GDPR 2018, it is illegal not to have a formal contract or service level agreement with your chosen data processor. Any new data processors or IT recycling suppliers that you work with must have minimum competencies and accreditations; using one who does not meet the minimum competencies will become a criminal offence.

5. Understand the right to erasure

Outside of schools, data subjects can demand that personal data held about them is erased. However, in a school setting student, records have to be retained under statutory provision in The Education (Pupil Information) (England) Regulations 2005:

  • For primary schools this is whilst the student is at the school, after which it should follow them when they leave.
  • For secondary schools, this is until the date of birth of the student is +25 years.

A full retention schedule for schools is freely downloadable from the Information and Records Management Service (IRMS) detailing all areas of document retention for a school. You should also speak to your local authority for further advice.

6. Implement robust induction training

As with evidencing compliance with the DPA, all new starters should receive GDPR training on induction using courses such as EduCare’s online training courses ‘An Introduction to the GDPR’ or ‘A Practical Guide to the GDPR for Education’.

Dawn Jotham, the Education Product Development Lead at EduCare

About Dawn Jotham: Dawn has extensive experience working in educational establishments, having held the positions including head of year, lead for student welfare and designated senior person for safeguarding. Dawn has an MA in Childhood and Youth Studies and combines that with her own knowledge and hands-on experience in education to develop safeguarding and duty of care training courses for the education sector, so her input to this article is very valuable.

Related Articles