MySchool Blog

GDPR Awareness. What you should do right now.

Posted by Julian on 27 April 2017

GDPR-management-overview.jpg

The thing about the GDPR is that it's not going away and it's not going to pass by silently on May 25th 2018. It's designed to make everyone sit up and take notice.

The truth is, current data protection action tends to be more reactive than proactive. The GDPR is designed to make the data controller, in this case schools, fully responsible for managing their students', staffs' and parents' data and to actively prove they comply with the regulation

There are, according to the UK's data protection authority (the ICO), 12 key steps t0 consider to ensure compliance. For those who are on top of their schools' data management game, this may be as easy as a review with a few modifications. For others, it will require much more time.

When should I start thinking about this?

Preparation has to start early; ideally you've already begun. In terms of actually doing something, the best advice is: make sure top management and key decision makers appreciate the impact GDPR will have

Keep in mind: you are also responsible for ALL personal data you share with 3rd party data processors. This includes, for example, how your school photographer manages student photos, your school administration system provider that stores and processes nearly all your school data, or even catering providers who may need student medical and allergy information in order to provide their service.

Until there is the willingness to commit resources, it may be hard to meet the regulation requirements in time to remain on the right side of the law.

Your school's management team will need to know:

The Timeframe

GDPR becomes law on
25th May 2018

Affects personal data of all EU citizens

It replaces existing data protection laws in every EU country with one harmonious regulation.

It applies to any organisation in the world that processes EU citizens' personal data.
article 3

Ramifications of non compliance

Fines up to €20 million or 4% of annual revenue (whichever is greater). 

Enforcement will be pro-active though fines are a last resort.
article 83

Appoint a GDPR Champion

Appoint someone to lead the project and understand what the GDPR is. (this could be your DPO if you require one)

Do not underestimate the time commitment.

Starting point: Review, audit & report

Start by understanding the scope of work required.

It could be weeks or months depending on the size of your school and how advanced your data privacy management is.

Plan & provide for resources and time

With a review or audit, develop a plan and adequate resources to reach full compliance before May 2018.

Again: Do not underestimate the time commitment.

NEW Appointment Data Protection Officer

Requirement to appoint a Data Protection Officer.

DPO duties can be given to an existing member of staff or contracted in. Article 37

Download PDF and Powerpoint slides 

GDPR management overview visual

PDF (530kb)  Powerpoint (1.2mb)

Sign up for GDPR updates


 

Topics: General Data Protection Regulation, GDPR, Featured