GDPR for schools: how to become compliant

Getting your school GDPR compliant can look like a distant light at the end of the tunnel, but becoming ready for the new regulations may not be as difficult as it appears

News article image

Friday 25 May. That’s the date by which you have to be compliant with GDPR. That’s the date after which your school can be slapped with a fine or reprimanded for breaching GDPR rules. And that’s the date when a parent, or potentially a student, may choose to test your ability to deal with a subject access request.

That may sound frightening, but while there will be some hard work involved for all schools to be ready, GDPR should not be as terrifying as some schools fear.

In our other guides, we have told you what exactly GDPR is and how it impacts schools. Here we give you a basic guide to GDPR compliance (in the next few weeks, Tes will be covering different aspects of GDPR compliance in more detail on the Tes School Portal). 

GDPR should be viewed in the same way schools approach safeguarding, says Dai Durbridge, education specialist and partner at law firm Browne Jacobson.

“If you look at every member of staff’s role with safeguarding, each member of staff is required to keep an eye out for safeguarding issues, so if they see something and they’re not sure what’s going on, they are muscle-reflex programmed to go straight to the designated safeguarding lead and say ‘I’m worried about X’,” Durbridge explains. “It would be the same sort of culture shift with data management.”

Awareness

Awareness is the first basic step to becoming compliant. This stage of the process is about letting staff know what GDPR is and when it is coming into force.

“Compliance with data protection is not about senior management only, or IT only, everyone has to engage in it and be aware of what’s required  because we all handle data," says Toks Oladuti, director of information services at an independent girls’ schools trust in London (he wrote a feature on GDPR for Tes last year, offering tips on how to prepare). 

Oladuti highlights that it is essential staff understand the key terms within GDPR.

“Raising that awareness and educating and training staff is important so they know what you mean by 'processing data' and what 'personal data' actually is. When you’ve built up that awareness and that knowledge, then they need to know what data they’re actually processing.”

'Processing' data basically refers to any operation or set of operations performed on personal data, whether that operation is automated or not. That includes collecting it, organising it, structuring it, storing it, retrieving it and a whole lot else (you can find the official definition here). Schools, you will notice, do all of these things with personal data regularly. 

Personal data is any information that can lead to a person being identified, which includes a name or or identification number.

For more on GDPR's key terms, see our 'What is GDPR' guide

Watch: First steps to becoming GDPR compliant 

Data mapping

Data mapping (essentially a data audit) is the most important step in the journey to GDPR compliance. By the end of this process, you will know what personal data – both digital and analogue – you hold, where it is and be able to explain why you hold this data.

“That is by far the most consuming aspect of getting ready, but it is not particularly difficult,” Oladuti explains. “It involves questionnaires to staff, but also speaking to individuals as well. Sometimes you have to have that conversation to really elicit out what processing departments or staff are doing.

“It is a resource-heavy process, whether it is time, money or people, but it is very important. Once you know all the personal data that you’re processing, how you’re processing and what you are doing with it, that’s a large part of your battle done. Then you can move on from that to do your risk or impact assessment on those processing activities and generating that compliance.”

The ICO has put together a sample spreadsheet that you can download to help complete a data audit.

Watch: How to evidence GDPR compliance 

 

Training

As mentioned above, GDPR is something that will affect all staff. As a result of this, all staff will need training.

Stuart Abrahams, sales and marketing director at Think IT, says everyone from the canteen person right up to senior leaders and governors will need training.

“Training doesn’t have to be onerous, it doesn’t have to be huge,” Abrahams explains. “It could just be getting everybody in a room to explain the principles of GDPR; you could do it in an hour. Explain this is their responsibility, this is what they have got to do.”

Training will need to be logged. This includes who has received training, when they were trained and what their training involved.

Appointing a data protection officer

Data protection officer (DPO) is a new role introduced under GDPR. All schools, except independent schools, will need to have a designated DPO. Independent schools are not a public body and therefore do not legally require a DPO, but it may be worth having one as they will still need to comply with GDPR.

The person who takes on the position advises the school on the regulations, monitors compliance, is the first contact in the event of a breach and must not have a conflict of interest.

“They do have to be an expert in data protection, so that’s another thing to think about,” says Helena Wootton, data protection expert and partner at Browne Jacobson.

“It needs to be someone who is prepared, willing and able to take on the learning that’s required, so it’s about the individual who has the capacity to do that.”

The question of who can be a DPO within a school has caused a lot of confusion, especially with the lack of clarity from the ICO and the Article 29 Working Party, which sets the guidelines on GDPR compliance, around what is a conflict of interest.

"It can’t be the IT director because they set the strategy for an IT system and that would conflict directly with the DPO, who has the responsibility of checking the compliance of the IT system against GDPR," Wootton adds.

There are a number of strategies schools are undertaking to fill the role, including employing an outside contractor, sharing a DPO across a number of schools, swapping the DPO role with a neighbouring school, or giving the job to a school business manager or a governor (though if they have a hand in creating systems that process data, there may be a conflict).

Russell Holland, barrister and education specialist at Michelmores, explains who can take on the role: "Just to be clear, the DPO can be an employee, or you can contract one, and also a DPO can be shared across more than one school.

"If you think about small rural schools, the idea that they can afford their own DPO is just ridiculous, it’s not going to happen. It may be a governor with appropriate support might be able to take on that role."

Karen Crowston, vice chair of the board of trustees at Ninestiles Academy Trust in Birmingham and Solihull, explains why her trust has taken the decision to buy in the DPO service.

“We are currently trying to understand what this role will entail and who can, or cannot, take on the role owing to a potential conflict of interest.

“You get different answers from different people about this and in view of the timescales involved we have taken the decision to buy in a DPO as a service starting in May and we plan to review next year.  This seemed to be a cost-effective way of resourcing the role rather than appoint full-timeme DPO.”

Data breaches

When preparing for being compliant after 25 May, there are two main things to consider: how to deal with a data breach and how to deal with a subject access request. 

A subject access request, which grants individuals a right to access of their personal data, should not be an issue for schools, as there is little difference from the Data Protection Act, except requests now carry no cost (previously organisations could charge up to £10) to the requesting party. 

For data breaches, you will need to revise your processes currently in place. The ICO defines a data breach as when "someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data."

The information commissioner Elizabeth Denham has written a blog on data breaches and examples of when to report them.

Watch: How to react to a data breach

Under GDPR, you have 72 hours to notify the ICO once you have discovered there is a breach and notify the affected individuals if the breach is of “high risk” to them. A high-risk breach, Denham explains, includes "the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage".

Durbridge concedes GDPR compliance on data breaches is tough: “It’s very new and that 72 hours is a very audible ticking clock, so if you get made aware of a data breach at four o’clock on a Thursday, you have one working day, not only to make a decision but also notify the ICO.”

When reporting a breach to the ICO, you will not only need to explain what has taken place, but also how you will resolve the issue, Durbridge advises.

“So you state there’s been a breach, explain what happened, and explain what you’re going to do about it, and state you will come back to the ICO in X amount of time.

“That’s one of the things where schools need a strong procedure on data breaches, and at the SLT level they need to understand that if there’s been a breach, much like a serious safeguarding incident, they must drop everything and focus on it, because that 72 hours is not a long timeframe at all."

It is also important for staff to be able to identify if there has been a breach.

“A member of staff who sends a document to the wrong email address may not realise that it’s personal data in the first place,” Durbridge explains.

In the event of this happening, it is essential staff don’t think if the recipient deletes the email, it’s ok.

If they are not sure it contains personal data, then they must ensure that within five minutes “the DPO knows about it, the DPO has a copy of that email and the DPO is sitting down and looking through it," says Durbridge.

“If you equate it to safeguarding, it’s very similar in terms of speed of response, and the seriousness with which schools and academies need to take it.”

Developing picture

As mentioned above, this is a general overview of GDPR compliance and we have gone into greater detail on all areas of the data protection changes on the Tes School Portal.

But you should also bear in mind that compliance will likely develop as GDPR comes into play, with cases reported to the ICO setting the standards of compliance. Tes will keep its information constantly updated so you have the most current picture at all times. 


For more information on GDPR visit the Tes School Portal

If you’re registered on School Portal: Click login in the top right-hand corner of this page and click on the My schools button and visit the Advice centre

Problems logging in? If your school is registered for School Portal but you can’t see the My schools button contact your School Admin for Portal access.

If your school is not registered for School Portal: Request Portal access here

For full and up-to-date guidance on the GDPR visit the ICO website

Log in or register for FREE to continue reading.

It only takes a moment and you'll get access to more news, plus courses, jobs and teaching resources tailored to you