What steps should schools be taking to prepare for the GDPR?

The General Data Protection Regulation (GDPR) and the Data Protection Bill (DPB) are coming into force next month on 25 May 2018 and will replace the outdated Data Protection Act 1998. These new laws will modernise data protection law in the UK and will impose stricter rules on organisations who process individuals’ personal data.

Specific duties and obligations in relation to data processing will be placed on employers. Employers are categorised as data controllers under the new legislation and may also be regarded as data processors in some cases. These terms are defined below:

• A data controller is someone who determines the purposes for which, and the manner for which, any personal data are processed.
• A data processor is someone who processes personal data on behalf of the data controller.

We can provide you with a GDPR guidance pack for a fixed fee, which will include privacy notices and policies tailored for schools, together with guidance notes to help you prepare for the GDPR. Details regarding this guidance pack can be found here.

In the meantime, to prepare for the implementation of these new laws, it is advisable for schools to take the following steps:

• Identify those within your school who are the key decision makers and make sure they understand the changes the new laws are going to impose. Are there any areas in the school which may be incompliant with the new rules? Do you have significant resources at present to implement any necessary changes?
• Determine what personal data you hold, where this data comes from and who you share this data with. Do you know how to obtain these answers? How are you going to record your data processing activities when the new laws are implemented?
• Communicate your privacy notices to those individuals whose data you hold. These individuals will likely include your staff, pupils and also job applicants. Have you reviewed the current privacy notices you have in place? Have you updated these notices in line with the new requirements?
• Check your current procedures to ensure they cover all rights owed to individuals. Are those responsible for these procedures aware of the additional requirements? Have these procedures been updated in line with the new laws?
• Update your procedures relating to subject access requests. Do you have a clear procedure and/or system in place? Are those responsible for responding to these requests aware of the rights/obligations in respect of data subject requests?
• Identify the lawful basis for you processing personal data. Have you identified this lawful basis? Have you documented this lawful basis and updated your privacy notices?
• Review how you seek, record and manage consent from individuals, especially in relation to your pupils. Are these methods in line with the new laws? Do your current procedures need to be updated to be compliant? Does the consent need to be obtained from those who hold parental responsibility? Will the pupils understand the privacy notices you have in place?
• Ensure the procedures you have in place relating to data protection breaches are correct or have been updated. Do you have procedures in place which detect, report and investigate a personal data breach? How will potential breaches be managed? Do you need to carry out a Privacy Impact Assessment?
• Designate someone to take responsibility for your data protection compliance i.e. a Data Protection Officer (DPO). It is likely that the governing body of a maintained school or the proprietor of an Academy will require a DPO. There will be rules about who can be a DPO, what a DPO does and how to manage a DPO. Is there someone within your school who is suited to this role? Would an external data protection officer be more suitable for your school?