Frequently Asked Question

Last Updated a year ago

The General Data Protection Regulation (GDPR) is an EU-wide law which came into force in May 2016 some weeks before the UK Brexit vote. The upcoming deadline on the 25th of May actually marks the end of the two year transition period organisations were given to become compliant.

Data protection officer (DPO)
By law all schools MUST have a designated Data Protection Officer who is one step removed from the data involved and who is an expert on data protection policies. It is the DPO’s job to have an overarching view of how data is used within the school to ensure the school is meeting its legal requirements.

Processing data
This is a term that you’ll see a lot of when you’re reading up on the GDPR. Basically, you are ‘processing’ data anytime you do anything with it. This includes collecting, organising, recording, transferring, storing or even destroying any data you have on an individual. This also includes any and all automated systems in place that deal with data. Anybody who does any of these things is considered a Data processor.

Lawful basis for processing
The first question to ask yourself about any piece of data is ‘why do we have this’? If you or your school can’t answer this question, there is a very good chance you shouldn’t that particular piece of data.

There are actually six main clauses for lawful processing, and your data must fit within one of these. For schools, most of your data will be processed under ‘public interest’ clause, but for everything else you will need explicit permission on each individual bit of data you are gathering and using.

Third Party Processors
You are not only responsible for ensuring your school’s data is compliant – all third party suppliers you use must be too. How far does this go? Think about cashless catering, library systems, parental communications, behaviour software, payroll, healthcare, pensions… The list goes on! And yes, you are completely responsible for contacting each of them and finding out about their GDPR compliance.

Privacy by Design
This means that everything that is done at a school considers data protection. This could be anything from mandatory data protection training for all new staff (and upskilling of existing staff) through to automatic encryption of external hard drives, strong password protection on laptops and regular data audits.

Data protection impact assessment (DIPA)
Just like the risk assessments teachers and department heads are often expected to do for school excursions or other events, a DIPR is a written report to show that you’ve been through the thought process of considering any risks to data and what you will do if something goes wrong with it.

Data Breech
This is where there is a breach of data security or where data has been accidentally misplaced or misused – think lost laptops, flash drives being left out or personal information being shared with the wrong people. Any breech which might lead to mental or physical harm must be reported to the Information Commissioner’s Office within 72 hours of the breech being discovered.

Please Wait!

Please wait... it will take a second!