- the impact of getting compliance wrong in the future will potentially be much more serious as sanctions have been increased;
- the requirements will have affected this autumn’s enrolment in that pupils and students who have just joined the roster come into scope in May 2018. As such, the way that they have been processed – and how consent was gained - will have an impact further down the line;
- for the further education sector, a particular concern will be the new requirement to provide specific protection to all data relating to children and vulnerable adults. This may require that additional controls be put in place;
- the role of the Data Protection Officer will assume a new importance and this may mean that the current incumbent may not be suitable for the role. Independence will be key so schools and colleges may therefore have to re-allocate the post to someone in a different position or even hire someone new with the skills necessary to carry out the role; and
- this is not an IT issue. Whilst data in systems will clearly need to be protected, the organisation as a whole will need to be involved as new governance structures and controls processes will be required.
This is not a get out of jail card – FE organisations still need to start their compliance processes as soon as possible if they have not already done so.
- The ICO have outlined a very useful 12-step approach to preparing for compliance that should be obtained and reviewed.
- Care should be taken to bring in data protection by design i.e. don’t introduce any new systems or processes that don’t comply with the planned regulations.
- A data governance group should be set up to consider the implications of GDPR and drive compliance activity.
There are still many unknowns – for example the need for retrospective consent, interaction with existing legislation or the extent of any external audits regime – but schools and colleges can start building their revised compliance frameworks now and indeed, they need to do so without delay.
David Morris, technology assurance director at RSM