We asked Russell, as a Barrister in the Education team for Michelmores, a few questions on the impact of General Data Protection Regulations on schools.
What do you identify as the key challenges facing schools as they look to comply with the new General Data Protection Regulations (GDPR)?
Many schools will already have good data protection policies and procedures in place and so it is very much a case of building on what you have to take into account the obligations. The reason schools process personal data is because they want to provide education for children and as such personal data is being processed to comply with legal obligations or otherwise in the public interest.
One of the big issues is who can be the Data Protection Office. It’s important to note that under GDPR the DPO can be an employee or the service can be bought it. The DPO can also be shared across more than one school. While the DPO can perform other tasks, conflicts of interest have to be avoided.
Do you believe schools have had sufficient support and are ready for the upcoming deadline to ensure compliance?
I don’t believe many organisations will be 100% compliant with every aspect of GDPR but there are many aspects where they can be compliant and need to be able to demonstrate that they are working towards compliance. I feel more guidance earlier from the Government would have helped to allay some concerns but the DfE are now providing helpful websites. The ICO also has excellent free online resources which help.
What do you believe will be the major impact of GDPR will be for schools?
It’s always hard to make predictions but I think for the majority of schools it will very much be spending the time now updating policies/training and having an audit trail and then following them. It is inevitable that there are going to be issues around when breaches have to be reported to the ICO, what conflicts of interests mean for schools and record retention will also be a key issue.
Finally, if you had to give schools across the UK just one short piece of advice to help avoid non-compliance fines, what would it be and why?
Schools have a range of legal obligations and the key is to treat GDPR as you would anything else like safeguarding/health and safety. Know what your legal obligations are. Have a policy in place to comply with those obligations. Train staff and have an audit trail to demonstrate compliance. Schools need to think about having a GDPR toolkit which means they can demonstrate compliance. To start with this will consist of updated data protection policies, a fair processing notice, privacy impact assessments (where necessary), a register of breaches, checking with suppliers that they are compliant and appointing a DPO.
