With technology developing rapidly and the legislation changing this year, compliance with data protection law can seem like a daunting task. The new General Data Protection Regulation (GDPR) comes into force in May, but it’s certainly not too late for schools to take steps to put in place effective policies, procedures and staff training. 

The basics

The Data Protection Act 1998 (DPA) controls how personal data (information your school holds which relates to pupils, parents, staff, etc.) is used by schools. Schools will process (e.g. hold, use, transfer) large amounts of personal data, and are therefore under an obligation to protect that information and handle it properly. The DPA sets in place principles and specific rules that schools must follow. 

The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold data protection rights. The ICO can issue fines for non-compliance of up to £500,000 under the DPA. 

The GDPR 

On 25 May this year, the DPA will be superseded by the GDPR. The GDPR is produced by the European Commission, and covers all aspects of data protection. 

The GDPR will apply because the UK will still be part of the EU in May, but our forthcoming departure makes the situation more complicated. To ensure a smooth transition regarding data protection following Brexit, the Data Protection Bill has been drafted. The Data Protection Bill will support the introduction of the GDPR, as well as generally modernising data protection laws. 

What is changing?

The GDPR and the Data Protection Bill build on the current DPA, but introduce stricter rules and additional obligations on schools. What are the key changes?

 – Fines 
Under the GDPR, the maximum fine will increase to the higher of €20 million and 4% of annual worldwide turnover

 – Privacy notices 
The DPA requires schools to be transparent when handling personal data. This includes providing information about how the data is used, typically in a privacy notice. The GDPR will require significantly more information to be included in privacy notices. For example, individuals must be told about their right to complain to the ICO and must be given information about how long their data is kept for

 – Information security 
The GDPR makes explicit reference to having data protection policies, and requires controllers to consider specific privacy-enhancing techniques such as pseudonymisation and encryption 

 – Privacy by design and data protection impact assessments 
The GDPR makes privacy by design an express legal requirement. When introducing any new technology, product or service that involves processing personal data, privacy and data protection compliance should be considered from the start of the project. A formal Data Protection Impact Assessment will be mandatory where data processing is likely to result in a ‘high risk’ to individuals

 – Record keeping 
The GDPR contains extensive requirements around record keeping and being able to show a paper trail of compliance

 – Reporting obligations 
Under the DPA, there is no legal obligation to report data security breaches to the ICO. The GDPR creates a new obligation to report data breaches to the ICO that pose a risk to individuals, and in some cases to notify the individuals affected

 – Fundraising and consent 
The GDPR sets a higher standard for consent. For example, blanket consents are insufficient, as are pre-ticked boxes consents “hidden” in terms and conditions. It must also be as easy to withdraw consent as it was to give it. These changes reflect the idea that consent is not a one-off tick box procedure, but is an ongoing and actively managed choice. This is particularly relevant for consents obtained for fundraising

 – Children 
The GDPR will bring in special protection for children’s personal data. Where online services are offered to children (e.g. social media) and consent is relied on to collect information, consent must come from a parent until the child is aged 13

 – Subject Access Requests 
The right to make a Subject Access Request exists under the DPA, and will be familiar to many schools. The main change to Subject Access Requests under the GDPR is a reduction in the deadline, from 40 days to one month

 – New data subject rights 
The GDPR will introduce various new rights for data subjects and will further enhance existing rights. For example, data subjects will have the ‘right to be forgotten’, meaning that they can require a school to delete their personal data

 – Processors
There are additional provisions that must now be contained in the written contracts between a school and each of its processors (for example, IT providers, payroll providers and cloud storage providers)

 – New criminal offence 
The Data Protection Bill will introduce an offence for altering, erasing or concealing personal data with the intention of preventing its disclosure in response to a Subject Access Request

5 key risk areas for schools

1. Accountability
Schools must ‘demonstrate’ compliance with the GDPR. You should ensure that you are keeping records of processing activities, consents, Data Protection Impact Assessments. You should also have robust data protection policies and training for staff

2. Information security
Having staff training and policies, taking the privacy by design approach (as described above) and carrying out Data Protection Impact Assessments are all essential for keeping personal data secure. Your IT team should put in place technical measures to guard against risks as well. Having a data breach policy in place is highly recommended

3. Transparency
You should update your privacy notices to include the additional information required under the GDPR. Privacy notices should be written in plain language, especially when addressed to children

4. Data subject rights
Staff should be trained to recognise when a right is being exercised, particularly because the timescales for compliance are becoming shorter. You should be able to locate personal data easily in response to subject access requests

5. Marketing and fundraising
Marketing and fundraising communications are subject to special rules. In particular, consent must be obtained before sending certain communications by electronic means, e.g. by email. With the more restrictive definition of consent introduced under the GDPR, schools will need to check that any consents they rely on meet the more onerous requirements

Where to start?

The best place to start is to carry out an audit on the personal data that your school holds. This should enable you to have a firm grasp on your data flows so that they can begin to tackle the areas outlined above. At VWV, we have a free template which schools can use as a starting point for the audit process.

Staff training is vital. We offer GDPR Data Protection and Information Security e-learning modules as part of our compliance management solution, My Onstream. This automates and simplifies the task of training school staff, and helps ensure that you meet the requirements of the GDPR reliably and cost effectively.  

If you would like a copy of the template audit, information about privacy notices or if you would like to discuss how we can assist with your preparations for the GDPR, please contact Andrew Gallie, in VWV’s Data Protection team, on 0117 314 5623 or Claire Hall on 0117 314 5279. Alternatively, send an email to agallie@vwv.co.uk. More information about staff training via My Onstream can be found at mos.vwv.co.uk, and Andrew or Claire would be happy to discuss that with you.