Archive

GDPR for Schools – Are You Ready?

GDPR for Schools
10th January 2018

The EU General Data Protection Regulation (GDPR) comes into force on the 25th May this year – your school will need to be ready to comply with this new regulation by this date, or risk significant fines.

What is GDPR?

In short, GDPR is a piece of legislation that aims to unify data protection for all EU nationals. Despite Brexit, British businesses and schools still need to comply with these requirements. This is the biggest update to data protection rules in 20 years, and a much-needed change to laws that were not suited to the current digital world.

It will be enforced by the ICO, and will provide new rights for people to:
1) Access information that companies hold on them
2) Understand how their data is managed
3) Provide specific consent for how and when their data is used and stored

Why it Matters for Schools

While all businesses are affected by GDPR to some extent, schools need to be particularly careful since they process and store data about children – a group who have specific protections under GDPR. The ICO recommend that you put systems in place to verify people’s ages and gather parental consent for data processing.

This is the first time that EU legislation has brought in special protection for children’s personal data. If your school collects data on children under the age of 13, you need specific parental consent to process their data. This consent needs to be clear, specific, and verifiable, as well as being written in a way that all users (including children) will understand.

What Steps Should My School Take?

Every school and business should get independent, legal advice on their unique situation and data processing and storage environments. However, there is some general advice that has been dispensed by the ICO and other organisations to help people prepare for GDPR.

Educate

You will need to educate both internal stakeholders and website visitors about rights and requirements related to GDPR. Internally, you will need to make sure that decision makers and key staff know about GDPR, the likely changes that will come into effect, and the impact this will have on your school.

Externally, you will need to update notices on your website regarding privacy and data processing to ensure that it reflects your new GDPR-compliant policies. This includes letting people know in very plain and simple English what you will be doing with their data (such as when they submit a contact form) and giving them the option to opt out of things like marketing activities. Pre-ticked boxes and assumed consent are no longer acceptable after May 25th. Proper consent is at the heart of GDPR and it is essential that you gain this every time that a user submits information – this consent may need to be given by parents/guardians rather than children, depending on the age and your website.

Audit

Your school will already have a large repository of information regarding potential, existing, and past pupils, and perhaps even information on people who requested prospectuses or attended open days many years ago but never actually joined your school. You will need to audit and document all of this personal data, where it came from, and who you share it with. You may need to delete a lot of information if there is no justifiable reason for keeping it, and should put processes in place to clean your data as and when it becomes unnecessary.

You will also need to ensure that data protection is built into your processes ‘by design’ and should carry out a data impact assessment. While many organisations do not need to do this or appoint a data protection officer if they have a small number of staff, schools process children’s information and will therefore be held to a slightly higher standard.

Secure

Once you know what information you hold and where you get new information from, it is essential that you ensure the information is secure from when you gain it through to how and when you delete it. This means you will also need to check with your data processors – this may be MailChimp, MIS, for Google – to ensure that they are GDPR compliant too. Many of these large companies are US-based but deal with individuals in the EU so they should be taking steps towards compliance. However, your data is your responsibility so the onus is on the school to ensure that this is done properly.

Maintain

Once you have taken the proper measures to gain consent, secure data, and update your policies, you will need to maintain them. This means dealing with subject access requests properly, cleaning old data, and deleting data as and when necessary. GDPR compliance is not a single step – it is an ongoing process for dealing with data and ensuring that it is kept as safe as possible for as long as you retain it.

Lets Get Started Contact Us
Latest News
How Refreshing Old Blog Posts Can Improve Your SEO
In the fast-paced world of digital marketing, maintaining a strong online presence is essential for staying ahead of the competition. While creating fresh content is important, the strategy of refreshing and updating older blog posts can provide a significant boost to your SEO efforts. Let’s dive into how content refreshes...
How SEO Plugins Can Boost Your WordPress Site
SEO plugins for WordPress provide a range of benefits that enhance the search engine optimisation (SEO) of your website, making it more visible and user-friendly. Here are some key ways they can help: 1. On-Page SEO Optimisation SEO plugins assist in optimising individual pages and posts for search engines. They...
We’re Exhibiting at the ISA Conference – Come See Us!
We’re thrilled to announce that we’ll be exhibiting at this year’s Independent Schools Association (ISA) Conference! This exciting event will take place on 14-15 November at the Chesford Grange Hotel, Kenilworth, and we’d love for you to join us. It’s the perfect opportunity to connect, learn, and discover how we...