Data-protection compliance is vital, and with the new General Data Protection Regulation (GDPR) coming into force next year, schools should consider its impact in advance.

The GDPR will apply from 25 May 2018, replacing the Data Protection Act 1998 (DPA); fines for non-compliance will be significantly greater.

TES recently discussed at length what this means for schools. Although details still need to be ironed out, schools can expect changes in the following areas:

Insurance: The GDPR is far more favourable for individuals bringing claims that their data rights have been infringed, so schools should check that they are insured for data-protection-related claims.

Data-protection officers: It is likely that schools will be required to have a named officer responsible for data-protection compliance.

Record keeping: The GDPR imposes extensive requirements for paper trails around compliance.

Policies: There is explicit reference to having data-protection policies. Schools should ensure that policies provide practical guidance to staff, particularly on information security.

Information security: Under the current law, schools are required to take appropriate measures to keep personal data safe. The GDPR expands on these obligations by referencing specific measures such as encryption, pseudonymisation and privacy by design.

Reporting: The GDPR creates a new obligation to report data breaches to the Information Commissioner’s Office (ICO) where the breach represents a “high risk”, the data is sensitive (eg, about safeguarding or pupil health) and the breach or use is significant.

Data processors: A data processor is anyone who handles personal data on behalf of a school (eg, a cloud storage provider). Check that your data processors are compliant.

Privacy impact assessment: If a school plans to handle personal data in a way that represents a “high risk” to individuals, then the GDPR will require the school to carry out a privacy impact assessment.

Marketing communications: So-called “implied consent” for marketing and fundraising communications is now even more unlikely to be data-protection compliant. Schools should check any forms used to capture consent.

Privacy notices: Individuals have a right to be given certain information about how a school handles their data, usually in a document known as a privacy notice. The GDPR will require additional information to be included here. For example, people must be told about their right to complain to the ICO and notices must be written in plain language.

New rights: Various new rights will be introduced. The right to be forgotten, for example, requires the school to delete personal data in certain circumstances.

Alice Reeve is a partner at leading education law firm Veale Wasbrough Vizards

Suggest questions for Legal Ease to answer and email chloe.darracott-cankovic@tesglobal.com