The thing about the GDPR is that it's not going away and it's not going to pass by silently on May 25th 2018. It's designed to make everyone sit up and take notice.
The truth is, current data protection action tends to be more reactive than proactive. The GDPR is designed to make the data controller, in this case schools, fully responsible for managing their students', staffs' and parents' data and to actively prove they comply with the regulation.
There are, according to the UK's data protection authority (the ICO), 12 key steps t0 consider to ensure compliance. For those who are on top of their schools' data management game, this may be as easy as a review with a few modifications. For others, it will require much more time.
When should I start thinking about this?
Preparation has to start early; ideally you've already begun. In terms of actually doing something, the best advice is: make sure top management and key decision makers appreciate the impact GDPR will have.
Keep in mind: you are also responsible for ALL personal data you share with 3rd party data processors. This includes, for example, how your school photographer manages student photos, your school administration system provider that stores and processes nearly all your school data, or even catering providers who may need student medical and allergy information in order to provide their service.
Until there is the willingness to commit resources, it may be hard to meet the regulation requirements in time to remain on the right side of the law.
Your school's management team will need to know:
GDPR becomes law on 25th May 2018
Affects personal data of all EU citizens
It replaces existing data protection laws in every EU country with one harmonious regulation.
It applies to any organisation in the world that processes EU citizens' personal data. article 3
Ramifications of non compliance
Fines up to €20 million or 4% of annual revenue (whichever is greater).
Enforcement will be pro-active though fines are a last resort. article 83
Appoint a GDPR Champion
Appoint someone to lead the project and understand what the GDPR is. (This could be your DPO if you require one)
Do not underestimate the time commitment.
Starting point: Review, audit & report
Start by understanding the scope of work required.
It could be weeks or months depending on the size of your school and how advanced your data privacy management is.
Plan & provide for resources and time
With a review or audit, develop a plan and adequate resources to reach full compliance before May 2018.