Skip to main content

GDPR: five things schools should have done by now

New GDPR rules around data protection came into effect earlier this year, but how much has your school done to comply?

An expert guide on how to ensure your school is compliant with GDPR data protection regulations

New GDPR rules around data protection came into effect earlier this year, but how much has your school done to comply?

The GDPR deadline (25 May 2018), scaremongering and prophecies of doom have come and gone with little fanfare and no flurry of prosecutions. Yes, there have been breaches. Yes, there have been complaints – but has anyone been thrown under the proverbial bus? Not to my knowledge; at least, not yet.

However, GDPR is not going to disappear just because results day and the start of the new term have come and gone. It will lurk in the shadows and will eventually catch some poor soul out – just like the threat of the network going down at the worst possible moment.

So, what has your school done about so far? Have you hired a data protection officer? Held a 30-minute Inset session? Made people fill out a form?

GDPR compliance

Even if you did all of these things, there is little guarantee that you will maintain compliance. GDPR requires a culture change, not just an online training session and signature (as much as I love a good online training package).

There are a few processes that I follow when considering data, which should help you on your way to changing your school's culture. Here is what you should have already done to meet the requirements of GDPR:

Question what you do and how you’re doing it

Ask yourself:

  • What data do you have and where is it stored? Hint: audit your data!
  • What is the risk to that data?
  • What are you doing about that risk?
     

Run regular training

Handling data is a skill and a 30-minute session once a year just won’t cut it. People need frequent and engaging training in this area. This way your data controller can sleep easier, knowing that everyone is working in one approved way.
 

Let every member of staff know they are responsible

Everyone needs to think differently now, as times they are a changing. We are all responsible for the data we store and what it’s used for. Forget about keeping decades’ worth of school reports, field trip forms and endless copies of the same spreadsheet. Focus on storing confidential and personal data in one secure place – such as that expensive encrypted management information system (MIS) that you already pay £10k-£20k each year for.

Simplify your security processes

Too often, lip service is paid to back-office jobs such as IT security. But what happens when a grumpy teacher leaves under a cloud? Or a teenage wannabe hacker uses their teacher’s password kept on a Post-it to publish copies of your data online? Your stress levels skyrocket and reputation plummets. Not a fun way to spend a Friday afternoon. Audit your policies and processes. Simplify them and educate users appropriately.

Consider the right to be forgotten

GDPR specifies that data subjects have the "right to be forgotten". This means that just deleting their log-in and MIS record doesn’t cut it. What about those spreadsheets? The photos? The reports? The dreaded... 12 paper copies in those pigeon holes? They all must go. Oh, and don’t forget to check your back-ups – deleting from the network doesn’t delete them from there, too.

Remember, above all, that GDPR is a good thing. It offers protection and should not be a tick-box exercise. Best practice should be shared, and weaknesses or deficiencies dealt with and documented.

Jonathan Torbitt is director of IT and computer science at Rendcomb College in Gloucestershire. He tweets @Jon_Torbitt

Log in or register for FREE to continue reading.

It only takes a moment and you'll get access to more news, plus courses, jobs and teaching resources tailored to you