Nearly 12 months since GDPR and the subsequent Data Protection Act 2018 came into force in May 2018 and what have we learnt?
Lesson one is that the interest in data protection is still high as all stakeholders are more aware of their rights, especially when it comes to Subject Access Requests (SARs). Lesson two, you need a strategic approach to ensure your organisation mitigates the risk of non-compliance and lesson three, there is still ambiguity which has often led to breaches occurring. This has been backed up by the recent findings of DLA Piper. The global law firm’s report runs all the way to 28 January 2019 and states there were more than 59,000 breaches reported since 25 May 2018. In terms of breach notifications per capita, the UK came 10th.
With this in mind, hopefully, all private sector schools will have appointed a compliance lead, whether or not called a Data Protection Officer (DPO) is a different matter that will be discussed later. Whichever route your organisation has taken, staff awareness and training is essential in ensuring you mitigate the chances of a breach occurring. In our experience over the past year (SchoolPro TLC acts as DPO for over 200 schools including individual schools and trusts within the private sector), 95% of breaches have come through human error. However, this ought to have followed an audit of appropriate scale to understand what data the school or trust holds, for what purpose and on what legal basis.
This should have been one of the first steps your school facilitated, before it meaningfully embarked on the more tangible outputs of data protection such as:
● Creating new privacy notices (for pupils, parents and your workforce)
● Reviewing all relevant policies where data protection has an impact – data protection policy, retention of records, CCTV/use of images, acceptable use
● Considering the key contracts the school has that will be affected, from parent contracts to subcontractors and outsourcing
● The international transfer of data (outside of the EU and outside of the UK post-Brexit).
These are the outwardly visible signs of compliance. However, the Data Protection Act 2018 also requires schools to have internal records demonstrating how compliance and privacy have been considered through understanding what data you process and who with. This should be held centrally within a data map. Schools should also know how to carry out data protection impact assessments (DPIAs) for tricky areas such as safeguarding and special educational needs, starting with a general one documenting the outcomes of the audit referred to above and then moving to individual DPIAs for every decision that is made regarding the processing of data. This has been highlighted in the ICO audit reports that were published (January 2019) from two Multi Academy Trusts.
ICO January 2019: “…should create a log of data sharing decisions, including any decision not to proceed with data sharing, to ensure there is central oversight of all data sharing.”
Therefore, your data protection lead, be it the compliance officer or DPO, will require knowledge of data protection law, as well as being plugged into the culture and structure of school life. At SchoolPro TLC LTD, all of our DPOs have school senior leadership experience in age ranges from 4–18, this is what sets us apart from other data protection contractors. We know and understand how schools work.
While GDPR mandates the DPO position, we don’t simply think of the role in this manner – as a consequence of compliance. With the right DPO, compliance will be of the highest quality and you can rest assured your school or trust is clear from any legal trouble related to non-compliance. Having a DPO is just good business in the ecosystem of a data-driven world. This role is essentially a safety net for the care and safety of all stakeholders’ data. Thinking of the role this way leads to insights that could offer your school or trust an advantage.
If you are currently looking for a DPO, be sure to use these best practices to find the right fit.