Getting to a stage where you and your school are compliant with the new GDPR legislation isn’t as complicated as you might think. In this guide, we’re going to take a look at precisely what you need to do to ensure you have everything in place. Let’s get started right away.
Don’t assume that your school will be compliant – make sure that everyone is aware of what is happening, and what the potential impacts could be. That includes speaking to teaching teams, PTA associations, and school governors. There may be more resources needed to become compliant, so it’s vital everyone knows everything that is necessary about GDPR and your school.
Document your data
The next step is to document all the personal data that your school holds. You should also look at where that data goes and identify who might see it along the way.
Create privacy notices
You will need to create privacy notices to make sure you are relaying all new changes to your pupils and their parents, and include the relevant info in any school contracts. Don’t forget, the idea behind GDPR is that you are not relying on – or presuming – consent.
Check for compliance
Next, make sure that any individual’s data that is held in the school system is compliant. A good question to ask while reviewing data is this: “Is it easy to erase data or remove consent if necessary?”
Subject Access Requests – or SARs – will need to have procedures in place in the event someone requests one. It needs to be done quickly, efficiently, and preferably by someone trained – so make sure you have cover for absences.
Understand the lawful basis for processing
You must ensure you understand the legal basis for any processing of your data. Document and update your privacy notices to make sure that anyone engaging with your site is aware of the lawful basis, too – for most schools, this will be public interest, so it’s vital to ensure this is stated in all of your privacy notices.
Always ask for consent
You should establish how you are going to get consent – a tick box, for example – and also be clear on how you will record it. Ensure you revamp all of your current consent forms to take GDPR into account, too.
Manage child accounts
GDPR states that all children up to the age of 13 need parental consent. After 13, however, you will need to come up with a way of managing this so you are compliant.
Data breaches are becoming an increasing problem for organisations of all kinds, including schools. Establish procedures and disaster processes and give the responsibility for dealing with them to the relevant people.
Go through privacy impact assessments
Put in place privacy impact assessments that can be rolled out whenever you invest in new technology, new suppliers, and any situations where high-risk processing is necessary.
Employ data protection officers
Hiring a data protection officer is a good idea. At the very least they will have you ready for GDPR on its deadline of 25th May 2018.
Have an eye on the globe
Finally, it’s vital that you know where your data is going – or being stored. The EEA is very strict about where data is kept so you will need to check for the location where your suppliers are hosted.