Time is ticking, and in just a few months all organisations need to ensure they comply with the General Data Protection Regulations (GDPR). What should you be doing to make sure your school is ready?
In the first of three blog posts, I’m going to look at how your school can prepare. I first heard about the GDPR at the start of 2017 and I thought then that it would only be a matter of time before my inbox was inundated with offers to train me, provide me with documents and so on, most of which would be at a rather high price. These started hitting my inbox in the autumn term by which time I’d made good progress on GDPR preparation.
I’ve spoken to other schools who tell me that they’ve not started any work on preparation yet and they seem to think that somebody is going to produce something that will solve all the problems of the GDPR. Others have a laid-back approach because they ’already comply with data protection’. I hate to be the bearer of bad news, but I feel a reality check might well be needed.
GDPR compliance is not a simple checklist; it impacts on lots of other school policies and procedures. It’s great that you comply with data protection (I would expect all organisations who collect data to be compliant), but it doesn’t necessarily mean you comply with the GDPR.
There are a lot of similarities between the GDPR and the DPA but there are also a lot of new requirements. Here are key differences between them.
The GDPR is designed, rightly, to protect individuals and that’s important to all of us – I can’t imagine how I’d feel if I knew that an organisation had breached my own privacy by failing to protect my data. To protect individuals, organisations will need to be much more stringent and be able to evidence how they are complying with the new legislation.
Schools have four months to get everything ready so that they are compliant from 25 May 2018. You need to be looking at:
I’ve decided to create one audit and compliance working document which incorporates a questionnaire for preparation and compliance. I can add documents to this as evidence of compliance and it allows me to see clearly where things are missing. Once I’d completed the questionnaire, I created an action plan to sit within the same document. The working document also has a checklist, a reference guide and the records retention schedule.
Don’t underestimate the enormity of this task. Theoretically it’s a great exercise to undertake but it’s time consuming and needs input from others. You need to think about how you’re going to record the information, what’s going to be included in the audit and who you’re going to get that information from.
Recording the information is down to preference. I’m an Excel geek so that was my preference – others might want to use Word or another electronic system. There are already companies out there offering to sell schools templates for audits but I don’t think we need to invest money unnecessarily.
Designing a template was the easy part. Now I had to think about the actual data held in school and as thoughts popped into my head randomly from time to time I opted to do a mind map. Once I captured everything I thought we had I passed it around the school to other staff members so that they could add to it.
It took some time, and although I’m pretty certain I now have everything, I intend to pass it around once more before the GDPR comes in to. If you’re starting an information audit, my advice would be:
Remember, the information audit is not just about noting what data you hold but needs to include reasons for holding it, who it’s distributed to, why and much more. My current working document has the following headings.
It’s a long list and may well change between now and 25 May. Don’t forget to share this with your leadership team and speak to others who have access to data such as the school nurse, therapist etc.
Before you start trying to do this yourself, save yourself some time and download the Information Management Toolkit for Schools published by the IRMS. This document tells you everything you need to know about record retention and disposal. It certainly made my life easier.
It has several tables that outline the document title, any data protection issues, statutory provisions, retention period and action at the end of the record life. The guidance made transposing the information into my compliance document a simple job.
My advice to anyone starting out is not to get bogged down with too much paperwork. Create one simple management document that contains everything you need. Over-complicating with too much paper will only get you down and achieve little.
In my next blog post, I’m going to look at the rest of the preparation that needs to be done, and update you on where we have got to. As I write, I’m awaiting a job description for a DPO so that we can appoint internally.
Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.
Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.