Posted 6 months ago

If you haven't heard the letters GDPR, then where have you been?

In the run up to May 25, we have seen a huge increase in requests from our customers surrounding our solutions and GDPR.

So we thought it would be useful to break it down and provide a clear overview on the ins and outs of the new General Data Protection Regulation. 

GDPR (General Data Protection Regulation) will be replacing the current DPA (Data Protection Act), ensuring that all data is kept safer than ever before. Below, we've delved a little deeper into what GDPR is, and how it will be affecting schools. 

 GDPR - what is it and how does it differ from the DPA?

GDPR is the new, updated DPA (Data Protection Act) to be followed by schools and organisations. It aims to strengthen the protection of 'personal data' - paying attention to the way that data is now used and shared through internet and cloud technologies. This means that the way you manage data and information will change.

The DPA was brought in to control how your personal information was used by others - meaning that any personal information kept about an individual had to be processed securely and confidentially. This current legislation already requires you to have a duty of care surrounding how you keep 'school' data safe - however GDPR will take this to the next level. 

With GDPR, you need to make sure that you give details on how you plan to use the information that you have stored as well as ensuring that the data is kept and shared securely and doesn't risk being breached.

What are the key things to look out for?

Article 5 of the GDPR requires that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposed in the public interest, scientific or historical research purposes or statistical purpose shall not be incompatible with the initial purposes;
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased and rectified without delay;
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) Processed in a manner that ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

These categories were broken down by ICO (Information Commissioner's Office).

 Have you prepared for GDPR?

In preparation for 25th May 2018 - we would suggest ensuring you have covered off the items below. 

Educate your people - Ensure that everyone, who handles data especially, within your organisation is educated about the changes with regards to GDPR. Knowledge sharing will help your organisation be more unified in understanding how to protect data. 

Audit the information you hold - Make sure you document all the systems you use to control data paying particular attention to what information you hold and how you use it. Document which third parties you collaborate with. 

Ensure any third parties are GDPR compliant - You also need to ensure the parties you share and pass data to are GDPR compliant. Any questions or queries that arise, just ask. Your data providers, should be prepared and have answers in place especially when it comes to data you may share with them. 

Review and update your current data & privacy policy - Your old policy will have a lot of information contained within it, to help with GDPR compliance. We suggest reviewing this to make sure it also falls in line with the new regulations. Ensure you include information around your legal basis for processing data as well as clarifying how data is processed and used - more information on this can be found here

Be prepared for the change - It will be likely that your organisation could face assessments to ensure that your policies fall in line with the new rules. We also advise you to make sure key information is kept up to date via your website to help field enquiries from your data subjects. 

The DFE have released a 'Toolkit for Schools' - have a read of it here

Need more information? 

Here at New Era Education, we've made sure we are prepped and ready for GDPR coming into action on 25th May 2018.

Have a look at our GDPR page, and see how we have prepared for the change, along with our updated data sharing agreement and more.

Any further questions, don't hesitate to get in touch and we can discuss further how we are GDPR compliant.