Understanding GDPR for Schools

GDPR for schools — an initialism that has struck fear into the hearts of UK education. Its full name, General Data Protection Regulation, does little to alleviate the distress and confusion that accompanied its introduction in May of 2018.

While the General Data Protection Regulation is complex and requires time and effort to comprehend, it is not the unmanageable proposition that it can seem.

In this blog, we will outline what your school needs to know and dispel three of the most significant myths surrounding GDPR compliance that many schools believe to be true.

GDPR Is Designed to Give People More Control, Not Catch Out Organisations

The enforcement of GDPR is not to punish or threaten organisations, but rather to empower people with more control over the data collected by those organisations and to ensure that data is collected and processed in a responsible manner.

It is true that under GDPR, the ICO (Information Commissioner’s Office) has the power to issue enormous fines — up to £17 million or 4% of turnover, in fact. However, it does not stand to reason that the ICO is looking to deliver exaggerated fines or exact swift penalties for minor GDPR infringements. The ICO is committed to educating, supporting, and advising organisations on GDPR compliance, so you shouldn’t feel as though they are out to get you.

GDPR and Consent

GDPR represents a tightening of the rules on consent, but that doesn’t mean you are entirely unable to process personal data without consent being given. It is just one of a number of legal bases upon which you can process personal data.

GDPR Article 6 dictates that datasets can be processed providing one of six conditions are met. Although consent is at the top of the list, data can also be processed on the grounds of contract, legal obligation, vital interests, public task, or legitimate interests.

Gathering consent is a logistical and administrative nightmare for schools, so it is important to know when alternative bases for data processing apply. Before collecting and processing data, consider if it can be justified under another, more appropriate basis to prevent the need for rigorously chasing parents for permission.

Managing Data Breaches

GDPR brought about a change in legislation on reporting data breaches. It led some to misconstrue and overstate the scope of the updated rules, claiming that all data breaches had to be reported to the ICO within just three days. While these statements are somewhat based on truth, they cause confusion by their inaccuracy.

To begin, you are not expected to report all data breaches to the ICO. The emphasis is placed on organisations to report data breaches that might result in a risk to the person’s rights and freedoms, not minor infractions that are likely to have little to no impact. If you are concerned about determining whether a data breach should be reported, the ICO offers a live chat function on their website, so you can check the severity of a breach directly with the authorities.

Secondly, it is the responsibility of your school to report a data breach within 72 hours, but the clock starts to run from the moment you identify the breach, not the moment the breach occurs. By implementing a sensible and structured process, you should find that reporting a breach within three days is not the headache that it may first appear to be.

GDPR — Good Documentation and Processes Reassure

The key to responsibly handling and processing data, and preventing dangerous breaches, is to have an infrastructure in place that ensures GDPR compliance. Tried-and-tested systems, comprehensive documentation, and easy-to-follow processes will all make GDPR compliance a far less daunting requirement for your school to deal with.

If you remain unsure about GDPR compliance and would like assistance with the setup of your data processing infrastructure. We’d be happy to help, so get in touch with our team today.