GDPR is coming into effect on 25th May 2018 for Schools. It is essential that from the commencement date all the new rules are followed otherwise it could mean the schools budget and reputation is damaged.
Schools handle large quantities of data. Lots of it is highly personal including databases on pupils, medical information and images. They also hold data on staff, governors, volunteers and job applicants. Under the current DPA regulations schools already have a duty of care to ensure all the data is safe and secure. The new GDPR rules have built on the current DPA regulations and are a more comprehensive version.
GDPR – what is it?
Put simply, the GDPR is a new data protection regulation that’s designed to strengthen and unify the safety and security of all data held within an organisation.
It will entirely replace the current Data Protection Act, making radical changes to many existing data protection rules and regulations that many organisations in the education sector currently adhere to under the DPA.
How will GDPR affect schools?
Whilst you may see some similarities between the GDPR and the DPA, there will be some significant differences that will have a real impact on the way data is handled and ultimately affect the way you manage information in your school.
Here’s just a few of the key things to watch out for:
- Penalties – under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater) for both the Data Controller (i.e. you) and anyone else involved in the chain such as the Data Processors (i.e. your recycling partner). That’s a hefty price to pay for not following the rules!
- Contracts – whilst it’s good practice to show due diligence when choosing an IT recycling partner, there’s currently no formal obligation to have a contract in place with your chosen Data Processor. But this is all set to change. Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen partner.
- Data Processors – under the GDPR it will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.
GDPR’s six principles
If it is starting to all sound quite complicated, then the good news is that GDPR can be summarised as six principles of how companies and organisations should use personal data.
Personal data should be:
- Processed fairly, lawfully and in a transparent manner.
- Used for specified, explicit and legitimate purposes.
- Used in a way that is adequate, relevant and limited.
- Accurate and kept up to date.
- Kept no longer than is necessary.
- Processed in a manner that ensures appropriate security of the data.