Many readers will have already started preparing for the new General Data Protection Regulation (GDPR), which comes into effect on May 25th 2018. You may have assigned responsibility to key people and be in the process of appointing a data protection officer (as the GDPR now requires), if you haven’t done so already.
Assessing your data processing procedures is one of the key steps in your journey to compliance, so here’s a brief overview of important areas to check before the GDPR is introduced.
Subject access requests
In most cases, the new rules won’t allow you to charge for complying with subject access requests (occasions when individuals want to know what personal data you hold about them). You’ll only have one month to comply, except when requests are complex or numerous. Ensure your school therefore has the staff, time and understanding of its data systems to comply with subject access requests within a month.
You won’t need to get consent every time you process personal data; most of your processing can be justified on the basis that it’s necessary for carrying out your functions as a school. In situations where consent is required, you’ll need to check that your systems for obtaining consent involve a positive opt-in, are clear and specific as to what the consent is for, and make it easy to withdraw consent. If your consent form currently states “If you don’t respond, we will assume permission”, then you’ll have to ask again.
Protecting children’s data
The GDPR brings in special protections for children’s data. Your privacy notice and any requests for consent – especially those concerning children’s data – must be written in a way that a child can easily understand.
Put in place procedures to detect, report and investigate personal data breaches, such as the theft of a school laptop containing non encrypted personal data about a pupil. Assess and report any breaches to the Information Commissioner’s Office (ICO) within 72 hours if the individual is likely to suffer some kind of damage. Where appropriate, the affected individuals should be informed of the breach.
Data protection policies
Check that your processes cover the new rules by looking through your data protection policy and asking yourself questions for each new GDPR requirement. If someone asked for their data to be deleted, for example, would your systems currently allow you to do this easily?
Presently, your privacy notice likely states who you are, why you process information and what you do with it. The GDPR mandates that this be written in clear, plain and childfriendly language and provide additional information. That includes your legal basis for processing the data, and an explanation of individuals’ rights (to, for example, access their data or file a complaint with the ICO).
Sara Martin is a specialist content editor at The Key; you can find further advice at The Key’s GDPR resource hub.