The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Caroline Collins

GDPR: ready and waiting

Bring on the GDPR! In the last of her GDPR blog series, Caroline Collins describes her final preparations.

 
I’ve been talking to quite a number of people since my last post and am still hearing from people who are telling me that they’ve done nothing about it and don’t intend to, until they get some more guidance. Others have been more proactive. The reality is that the new regulations come into force this month and the preparation shouldn’t be underestimated.

Out with the old

So, what have I been up to since my previous blog? I spent much of the Easter break in our archive room where I came across files from the early 2000s, not to mention PANDA files from the 1990s. I stood, surrounded by dust-ridden folders that nobody had looked at in a decade and weren’t needed in school any longer. Finally, I had three empty shelves for the files that we need to keep for a while. 

I had a great time making use of my new shredder. It’s true what people say: schools tend to keep things 'just in case' and so we end up with stacks of papers and folders containing documents that we really don’t need and will never look at again.

A good thing about the GDPR is that it stops that 'just in case' mentality and makes us focus on what we really do need to keep.

Pol​icies

In my last blog I mentioned the policies that I’d identified as being needed. These are all now finalised and approved. This week I’m issuing the suite of GDPR/data protection related policies to all staff and requesting that they sign to confirm they have read and understood them. I’ve uploaded some of these to our website so people can access them easily.

Support

Our local authority has not offered any support so I was pleasantly surprised when I got an email from them asking for a meeting. We met and they asked what kind of support schools needed. I gave them some ideas but was quick to point out that this should have been done a year ago. One of the discussions we had was the ongoing debate about school business managers working as the data protection officer (DPO). They came in with the view that the SBM cannot be the DPO but by the time they left they had changed their minds.

Do you have your DPO in post?

Have you identified who will be your DPO? I had a discussion with an education lawyer at Browne Jacobson about this and he said that when schools are looking at who can be DPO their first thought should be who is willing to do it. From there you can look at the job role and identify any conflicts. 

Appointing a DPO doesn’t need to be arduous but you might need to just adjust job descriptions slightly so there’s no conflict of interest. The role of DPO tends to sit naturally with the SBM who tends to deal with data matters in school. With that in mind, if the SBM is willing to take on the role, have somebody look at their job description, identify any conflicts and adapt it accordingly.

Staff tra​ining

If staff haven’t yet been trained I’d recommend you arrange training as soon as possible. Data protection is the responsibility of everybody in the school, not just the person implementing the GDPR changes. Staff members don’t need to be experts in data protection – that’s the role of the DPO – but they do need to understand what’s changing in school, what staff are expected to do and how they can access information. The GDPR In A Nutshell group training from Optimus Education is available for members. It contains all the information staff will need and trainer notes to help you deliver it.

Due diligence

Schools are responsible for protecting the privacy of data subjects and so must ensure that any third parties they use for data processing are fully compliant. Third parties would include any company you might use for text and email communications, catering providers, after-school club providers, therapist and counsellor provisions, your ICT support company and your MIS provider. You might have more.

You are responsible for evidencing how those providers are complying with the GDPR. You should write to each company requesting an agreement or contract that evidences this. Use the compliance document to log each company you have contacted and when their response comes in, file the contract/agreement in your data protection file. Make sure you get responses from all the providers, even if you have to chase them.

I have contacted six providers and received responses from five. I’m expecting the final one in by the middle of May. I use the compliance spreadsheet that I created to record all of these. 

Do you need conse​nt?

Under the GDPR schools will not need to rely on consent for most of the data processing that they undertake. However, if a legal basis can’t be identified you will need to look at consent. You’ll all know by now that consent must be freely given and pre-ticked boxes can no longer be used. You can only use consent for one item of processing.

An area that would need consent is the taking and use of photos in schools. I made a list of all the places we use photos of children: the school website, our internal displays, the school prospectus and our food allergy board. I then drew up a consent form that had a box for each of these items and a final item for those who are not happy for the school to take or use photos.

I exported a list of all children into my consent workbook of the compliance document, made a note of when the consent was sent out and log when they are returned, ticking which areas they have consented to.

Once all the consents come back I am going to update our MIS and inform staff. I am giving our ICT coordinator the names of those that have not consented to photos on the website so that he can remove them as he goes along.

GDPR: bring it on

I am quietly confident that I have done the majority of the work needed for 25 May. There are still some small things to do, including another staff training session to make sure they fully understand the new policies and procedures. These include the clear desk and clean screen policies which outline the need for staff to make sure their desks and computers have no data on them which others can view.

I’ve stuck up posters from the ICO around the school and I’ve dropped data protection into almost every conversation I’ve had.

Preparing for the GDPR was a good exercise because it made me take stock and really look at what we have in school, what we could improve on and what needed to be changed or added. It gave me a chance to really think about how well we protect the data of children and staff in our school and it made me realise there is always room for improvement.

Ready, set...

A year ago, I had a conversation with the headteacher when I explained that data protection was changing and what it would mean for the school. At the end of the conversation I remember saying; ’Come autumn, we’ll be inundated with companies offering us all kinds of services and training’.  My prediction came true, although a little later than I had anticipated.

I’m sure lots of schools, like ours, are receiving a large number of unsolicited emails daily from companies offering training, data protection officer services and related services. I’d be cautious about this. Do you need the service they’re offering or can you do it in-house? These companies aren’t cheap and will only be doing what you could easily get done yourself in school.

Good luck with the final preparations and I hope you are all GDPR-ready sooner rather than later.

Foun​dation training for DPOs

Having a DPO with the appropriate skills and knowledge to discharge their duties is a crucial element of complying with the GDPR. That's why we've teamed up with Browne Jacobson to organise three interactive, one-day training courses, covering everything a DPO will be expected to put into practice from 25 May. 
 
With a mix of keynote presentations and workshops, and the opportunity to have your burning questions answered, these events are not to be missed!
 

More from Optimus

GDPR: how schools can prepare

GDPR: progress so far and next steps

Subscribe to Optimus Education's Blog

Join other educators and get the latest Optimus blogs direct to your inbox.
Your data is safe with us: Privacy Statement