24 January 2018
A reminder that the General Data Protection Regulation (GDPR) deadline of 25 May 2018 is edging closer.
GDPR has been on the radar of most academies for some time since the new legislation was announced, but there remains a lot of confusion. The Data Protection Act (DPA) has been with us for 20 years now and many schools will already have a Data Protection Officer (DPO) of some kind, and they are used to the importance of the security over data.
The law is changing to give further protection and control to individuals, and greater transparency. The new GDPR has ‘evolved from existing law’, according to the Information Commissioner’s Office (ICO) who are charged with ensuring compliance, but there are some significant differences.
The ICO have issued a ‘12 Steps to take now’ checklist and we recommend that this is brought to the attention of trustees and the senior leadership team if the document has not already been discussed.
Some key points to remember or consider:
- Penalties – the consequences of getting it wrong under GDPR will be much more severe. Fines will of up to €20 million or 4% of worldwide turnover could be imposed for non-compliance, and there could be compensation claims from individuals in addition to these.
- The rights of the individual – the GDPR lists eight rights of the individual: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to automated decision-making including profiling. You need systems, procedures and a policy in place which ensures that you can meet all of these rights.
- Access and security – your IT security needs to be robust and fit for purpose, and protect against accidental loss, destruction or damage. You also need to be able to easily locate and remove personal data from all systems if someone asks for their personal data to be deleted.
- Consent – a key area, since you cannot simply assume consent. Consent must be ‘freely given, specific, informed and unambiguous’ – silence from an individual cannot be considered as consent, there must be a positive opt-in. For a number of schools the consent relates to children, and consent from a child regarding online services will have to be authorised by a parent.
- Data breaches – systems need to be able to detect any data breaches in a timely manner. Written procedures should set out your process for detecting, reporting and investigating a data breach. Note, too, that GDPR requires any data breach to be notified to the ICO and also, in some cases, to affected individuals.
- Volunteers – you must train your volunteers to the same level of understanding as your employees. They must be equipped to handle confidential data and adhere to the rules, so they need clarity on how data must be protected. Schools typically have few volunteers apart from, mostly in primary schools, some parent helpers who probably do not have access to much data, but this should nevertheless be remembered.
How are academies dealing with these more strenuous requirements?
Many trusts are still exploring their options, but time is rapidly running out. The DPO should be an expert in their field and have specific knowledge of their sector, and it will be essential that any employee taking on the role is adequately experienced and trained. Fortunately the guidance does say the role does not necessarily have to held by an employee, and this may result in a large number of trusts deciding to outsource the service, which for many may be more cost effective. A number of specialist firms are appearing on the market, and most leading legal firms are also providing GDPR support. This, however, brings an additional cost at a time when academies are also experiencing budget constraints.
Using an existing member of staff could carry a degree of risk and trustees may feel safer outsourcing to a professional. What is causing some concern is that it difficult to envisage exactly how big the new DPO role is, and the amount of time that will need to be devoted to it. One option could be for single academies or small multi-academy trusts to share the DPO role with other local trusts.
However you intend to deal with the new GDPR legislation, it is essential that all key staff in your trust are aware of the forthcoming changes, and that you develop an action plan to ensure compliance from 25 May 2018.