The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Caroline Collins

GDPR: progress so far and next steps

Not long now until the GDPR comes into force. What progress have we made and how ready are we?

In my last post I talked about the work I’ve been doing in school to help us prepare for the GDPR. It feels a little like my life has been taken over by data protection and the GDPR but I confess, quietly, that I have been enjoying it.

When I wrote my previous post, I had just finished putting together my compliance document and information audit. I sent the audit to the leadership team because there were areas that I simply couldn’t answer because I don’t know what data teachers process themselves. I haven’t had any comments back yet so am now on a mission to chase for them. I can’t finalise the information audit without their input.

Progress so far

I’ve been working on the action plan I created from the self-assessment questionnaire and information audit. I’ve achieved a fair amount but it is hard to juggle that with the day job. I’ve been dealing with the financial year end, inducting a new site manager and a new administrator, undertaking health and safety audits, issuing contracts to new staff, finalising support staff contractual hours and moving over to a new payroll system. Finding additional time for GDPR readiness has been rather challenging. 

Policies

I finally went through the policies that the GDPR might impact and added them to the action plan. I also managed to review some of these. It’s easy to think that all we need to do is review our data protection policy but the GDPR is going to impact on several other policies.  
 
The policies I’ve identified so far have included:
  • CCTV
  • data management and ICT security
  • taking photos in school
  • subject access requests and procedures
  • individual rights
  • generic fair processing.

Privacy noti​ces

The DfE has updated their privacy notices to be GDPR compliant. To save time I downloaded these for parents and staff, adapted them to suit our school, issued them and uploaded them to our website. These will need to be issued for other data processing we do in the future, but for now, at least I know I have covered the basics. 
 
I now need to print those privacy notices so that they can be displayed in the main school office and in the staff room… but I haven’t yet found a spare two minutes to do it.

Staff training

I have written and delivered two sessions of staff training recently, one for teaching staff and one for support staff on an introduction to the GDPR. Unfortunately, I scheduled a date when about six of the support staff members were out on trips so I have to rerun it towards the end of March.
 
I got good feedback from staff, with some not really understanding what the GDPR was before the training and others having not realised how much it might impact on the school. The teachers’ biggest concern was around taking data off site and having a clear desk policy while support staff spent a great deal of time discussing the idea that a 13-year old is mature enough to decide whether or not to consent.

Data protection officer

I’m waiting for our HR team to send me a job description that would suit our school. The governors and headteacher have decided that they want my current job description to be reviewed so that it can accommodate the DPO role. As the SBM many will balk at the idea but we think we’ve come up with a valid justification for me doing it.

Our theory is that the idea that a SBM can’t be the DPO is based on decision-making around data processing. As a maintained school I don’t decide what data we collect, why we collect it or how we collect it. We are told by the DfE and the local authority what data we’re required to collect, how and why. 

I read an article that gave a good example of this: a school wants to change its management information system and a person in school makes the decision of which one to purchase – that person cannot be the DPO.

If the DPO is in place and is asked to make the decision they would need to refuse. Again, in maintained schools this isn’t such a big issue because those kinds of decisions are ultimately taken by the governing body. So, the question of the SBM being a DPO depends really on the context of the role and the school type.

Gover​nors

I have done a report to the governing body on the GDPR but the agenda was so jam-packed they have asked me to do a longer presentation at the next meeting. At least they are aware of what’s happening.

Challen​ges

The biggest challenge has been finding the time to do it all because it’s in addition to looking after the school finances, HR, health and safety and attendance. My next priorities are to draw up the rest of the policies and make sure they’re embedded into our school life.
 
I hope that by the time my next blog comes out I will have a job description for the DPO and, who knows, we might even have recruited.

GDPR for Schools

Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.

Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.

 

Similar Posts

Tiffany Beck

Multi-academy trust governance: your questions answered

Governance was a hot topic at our annual MATs Summit. Tiffany Beck, chair of trustees at Maritime Academy Trust, answers some popular questions from the event. 1. We have a shortage of governors and trustees and require more skilled professionals. Can you share any tips on recruitment? Ask your...
Read more...
Lisa Griffin

What is the ePrivacy Regulation?

Thought you’d heard the last of changes to data compliance? Get ready for the new ePrivacy Regulation. The EU have proposed that the current ePrivacy Directive be replaced by the ePrivacy Regulation (ePR) and sit alongside the General Data Protection Regulation (GDPR), which came into force in May...
Read more...
John Viner

We need to talk about Ofsted

New proposals from Ofsted have prompted a shift in the rhetoric around inspection. John Viner summarises the changing times. With the departure of Her Majesty’s Chief Inspector of Schools, Sir Michael Wilshaw, Ofsted moved into a new phase under the leadership of Amanda Spielman. Out went the old-...
Read more...