First of all, what actually is GDPR and what does it stand for?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
GDPR replaces the Data Protection Act (DPA) which was introduced in 1998 to look at how data is stored/accessed and made safe for members of the public.
Can it be summed up in a sentence?
Well, kind of… You could say it’s about asking permission, respecting the privacy of subjects (students), and valuing and protecting their data.
When does it come into force for schools?
After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018.
There are six main principals of GDPR:
1. Lawfulness, fairness and transparency
Transparency: Tell the subject what data processing will be done.
Fair: What is processed must match up with how it has been described
Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]
2. Purpose limitations
Personal data can only be obtained for “specified, explicit and legitimate purposes”[article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
3. Data minimisation
Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.[article 5, clause 1(c)]
i.e. No more than the minimum amount of data should be kept for specific processing.
Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]
Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.
5. Storage limitations
Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary”. [article 5, clause 1(e)]
i.e. Data no longer required should be removed.
6. Integrity and confidentiality
Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. [article 5, clause 1(f)]
So what does all this mean for schools?
It ultimately means schools need to be a lot more organised and responsible when it comes to how they handle student information.
Schools will need to carry out data protection audits on both internal and external use of data and make sure they have a process in place for monitoring this.
Consent for data use is very important: How you are seeking, obtaining and recording consent for data processing.
If schools think data has been breeched, then they need to be able to report this and follow it up to make sure they have answers.
Schools should make sure they have a Data Manager who understands GDPR and can oversee process.
Schools should make sure they only appoint suppliers who claim to be GDPR compliant and agree to their GDPR terms as part of any contract/working relationship.
If you’d like to understand how we approach GDPR, then please drop us a line on email@example.comBack