As a controller, your school is responsible for the security and processing of all personal data you collect. This responsibility extends to the data you share with any third parties such as your suppliers. If one of your suppliers falls foul of the GDPR and the data you shared with them is compromised, the data protection authority may come knocking on your door. Although this may seem a little onerous, there is clear guidance on how to responsibly protect the data you share and how to legally protect yourselves.
The appointment of a data protection officer is one of the more daunting requirements of the GDPR. The concept of the DPO has been around for a long time and a number of countries in the EU have had the requirement in place for a number of years, most notably, Sweden and Germany. The GDPR now makes this appointment mandatory across the EU regardless of the size of the organisation though there are other criteria that determine whether a DPO is required. Before we get in to the criteria, I'll cut to the chase: schools will almost certainly need a DPO.
The thing about the GDPR is that it's not going away and it's not going to pass by silently on May 25th 2018. It's designed to make everyone sit up and take notice.
The truth is, current data protection action tends to be more reactive than proactive. The GDPR is designed to make the data controller, in this case schools, fully responsible for managing their students', staffs' and parents' data and to actively prove they comply with the regulation.
There are many specialised words and terms associated with the General Data Protection Regulation (GDPR). These are the most common ones.
- Binding Corporate Rules (BCR)
- Corporate rules to allow multinational organisations such as multi national school networks to safely and legally transfer data internally (within the organisation) but across EU borders.
- Freely given, specific, informed and explicit consent by statement or action by the student, parent, staff member or any person signifying agreement to the processing of their personal data. read more about consent
- Data Controller
- This is the school. Determines the purposes, conditions and means of the processing of personal data.
What is GDPR?
The General Data Protection Regulation is the EU’s tough new privacy and data protection law designed to significantly strengthen all EU citizens' rights and security relating to the data you store about them. This includes students, staff and parent's right to legal action against the school or ‘student information system’ supplier and the right to compensation regarding misuse of their personal data.