Is Your School GDPR Ready?
GDPR is just for large corporates? Right??
Wrong!!!
GDPR impacts anyone who holds, controls or processes personal data and that includes Schools.
In fact – because Schools retain the personal data of children (including those under the age of digital consent) and often hold Sensitive Medical data– GDPR is particularly relevant to them.
Should schools be concerned?
Absolutely – there is a feeling within some circles that if we ignore GDPR for long enough – it will disappear, or that it is the new Y2K problem – but in both instances, that is not the case.
If your school’s preparation is not yet underway – time is ticking in advance of the May 25 deadline for compliance.
What are the key questions for my School?
· What is GDPR: GDPR significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations and responsibilities for Schools in how they collect, use and protect personal data.
· Why should we be concerned: GDPR protects the personal data of everyone – which includes both School Staff, Parents & Most importantly – School Children – much of the focus has been on the penalties for non-compliance but the real advancement here is the rights each of us have with regard to our personal data.
· Who needs to comply: Anyone who holds or processes personal data – this means both the School & 3rd party processors and contractors who might come into the school environment must be GDPR Compliant.
· What type of areas with schools might need to be reviewed? Lots actually – for example – How the School obtained the data, how they store and distribute personal data, how they manage sensitive data such as Children’s Data or Medical Data, the security of their data systems (Printers/IT Systems/CCTV/Data Disposal etc)
· From a practical point of view – what are the essential steps Schools will need to take to become compliant:
- Awareness – Schools should familiarise themselves with GDPR, the requirements, impacts, responsibilities and obligations (Optima Training provide training courses customised for Schools & Education)
- Accountability – The School should complete a Data Audit – focussing on the Data they retain, indicating how they obtained it, for what purpose is it retained, how long they need it for and how secure they store it
- Communication – How does the School inform people of how they obtain data – what media do they use to communicate their Privacy Policies & Notices
- Personal Privacy Rights – Does the school comply with the rights that exist for their personal data – Accuracy, Fairly Obtained, Duration of Storage, The Non Transfer of data to 3rd parties etc
- Data Access Requests – The School must put systems in place for providing access to the data subject of their own data – within 30 days and typically free of charge
- Reviewing the Legal Basis for Holding Data – What data is collected and for what specific legitimate purpose?
- Consent: Does the School have clear, unambiguous, documented and opt-in consent from the data subject for the personal data which it collects or communicates?
- Children’s Data – The school must pay particular heed to the data they hold on children (and Medical date – which is considered “Sensitive”
- Risk Assessments – The School should implement systems for Data Privacy Impact Assessments & Privacy by Design & Default to ensure ongoing compliance
- Data Breaches – The School should develop a Data Breach Procedure and implement the procedure if and when a data breach occurs – notifying the Data Protection Commissioner within 3 days
- Point of Contact – The school should nominate a point of contact who will assist and advise staff and families with GDPR, who will monitor compliance who might be a Data Protection Officer
How do I find out more?
Our training partners, Optima Training, are running GDPR Preparation Courses, click here for more information.
For more information on Appierschool School to Parent apps, visit our full site here.
Content courtesy of Optima Training and Consulting
