General Data Protection Regulation (GDPR) will bring major changes to how schools look after personal data. It may be reasonable to believe this EU-wide regulation only applies to organisations within the EU, but that is not entirely the case.
The regulation covers all EU nationals whether they are based in the EU or not. If you have students or staff in your school who are from the EU, or EU students on an exchange basis, it will require you to be GDPR compliant.
What is GDPR?
Enforced from 25 May, GDPR will strengthen and add clarity to the current rules (the Data Protection Act) on how personal data is collected and processed.
The new legislation will give individuals greater rights over their own personal data. Under GDPR, individuals have the right to ask an organisation to delete all of the data which the organisation holds on the individual, produce it in a portable format or withdraw any previously given consent. This also applies to students, who if over the age of 13, can submit a subject access request for their data.
According to the Information Commissioner's Office (ICO), which will enforce the regulation in the UK, personal data is “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
For schools, personal data could range from pupils’ grades and attendance records to more sensitive information, such as biometrics.
A key aspect of the new changes is around evidencing compliance with the regulation. No longer is it sufficient to just comply with the rules, but your school must now be able to show how you comply. This will involve keeping records of all personal data processing and contracts with any third parties who process that data on a school’s behalf.
Watch: An introduction to GDPR?
How it affects international schools?
International schools will need to comply with GDPR in the same way a school in the EU would, explains Mark Orchison, managing director at 9ine Consulting.
“They have the same obligations as any school within the EU so as long as they are processing the data of EU nationals, which most international schools will be,” says Orchison. “They have to put in place the same protections as any other school or any other organisation that sits within the EU and that’s under article three of the regulation.”
“Under article three of the regulation, so long as you process the data of EU nationals and so long as the country in which you reside complies with international law, you need to be compliant with the regulation.”
For example, an area in which an international school is affected by GDPR is in the event of a student exchange, says Orchison.
“If I am a school in Kenya and the kids from my school go to a school in France on a school trip, or vice versa, the school in France is going to ask me how I’m compliant with the regulation. If I am not compliant they can’t share the data of the children who are coming on the school trip with me. Therefore, the school trip can’t happen.”
How organisations look after personal data is becoming a growing concern not just in the EU, but worldwide. With governments across the world looking at introducing similar legislation, it is worth getting up to speed with secure data protection processes, even if your school is unaffected by GDPR, Toks Oladuti, IT security professional, points out.
“For what is likely to be the handful [of international schools] which do not have to meet this requirement, it would be a sensible and responsible choice to engage in a compliance-like programme anyway,” Oladuti says.
“The world of data protection is going through a global overhaul to strengthen the rights and protection surrounding people’s data, with numerous new data protection legislations being enacted or drafted across world, including countries with an emerging or thriving international school market.”
Watch: How to become GDPR compliant
As mentioned above, this is a general overview of GDPR compliance and we have gone into greater detail on all areas of the data protection changes on the Tes School Portal.
But you should also bear in mind that compliance will likely develop as GDPR comes into play, with cases reported to the ICO setting the standards of compliance. Tes will keep its information constantly updated so you have the most current picture at all times.
For more information on GDPR visit the Tes School Portal
If you’re registered on School Portal: Click login in the top right-hand corner of this page and click on the My schools button and visit the Advice centre
Problems logging in? If your school is registered for School Portal but you can’t see the My schools button contact your School Admin for Portal access.
If your school is not registered for School Portal: Request Portal access here
For full and up-to-date guidance on the GDPR visit the ICO website.