The GDPR deadline (25 May 2018), scaremongering and prophecies of doom have come and gone with little fanfare and no flurry of prosecutions. Yes, there have been breaches. Yes, there have been complaints – but has anyone been thrown under the proverbial bus? Not to my knowledge; at least, not yet.
However, GDPR is not going to disappear just because results day and the start of the new term have come and gone. It will lurk in the shadows and will eventually catch some poor soul out – just like the threat of the network going down at the worst possible moment.
So, what has your school done about so far? Have you hired a data protection officer? Held a 30-minute Inset session? Made people fill out a form?
Even if you did all of these things, there is little guarantee that you will maintain compliance. GDPR requires a culture change, not just an online training session and signature (as much as I love a good online training package).
There are a few processes that I follow when considering data, which should help you on your way to changing your school's culture. Here is what you should have already done to meet the requirements of GDPR:
Question what you do and how you’re doing it
- What data do you have and where is it stored? Hint: audit your data!
- What is the risk to that data?
- What are you doing about that risk?
Run regular training
Handling data is a skill and a 30-minute session once a year just won’t cut it. People need frequent and engaging training in this area. This way your data controller can sleep easier, knowing that everyone is working in one approved way.
Let every member of staff know they are responsible
Everyone needs to think differently now, as times they are a changing. We are all responsible for the data we store and what it’s used for. Forget about keeping decades’ worth of school reports, field trip forms and endless copies of the same spreadsheet. Focus on storing confidential and personal data in one secure place – such as that expensive encrypted management information system (MIS) that you already pay £10k-£20k each year for.
Simplify your security processes
Too often, lip service is paid to back-office jobs such as IT security. But what happens when a grumpy teacher leaves under a cloud? Or a teenage wannabe hacker uses their teacher’s password kept on a Post-it to publish copies of your data online? Your stress levels skyrocket and reputation plummets. Not a fun way to spend a Friday afternoon. Audit your policies and processes. Simplify them and educate users appropriately.
Consider the right to be forgotten
GDPR specifies that data subjects have the "right to be forgotten". This means that just deleting their log-in and MIS record doesn’t cut it. What about those spreadsheets? The photos? The reports? The dreaded... 12 paper copies in those pigeon holes? They all must go. Oh, and don’t forget to check your back-ups – deleting from the network doesn’t delete them from there, too.
Remember, above all, that GDPR is a good thing. It offers protection and should not be a tick-box exercise. Best practice should be shared, and weaknesses or deficiencies dealt with and documented.
Jonathan Torbitt is director of IT and computer science at Rendcomb College in Gloucestershire. He tweets @Jon_Torbitt