GDPR in the education sector

What will you be doing on May 25, 2018? Hopefully your every day-to-day tasks, content in the knowledge that your school is fully prepared for the GDPR that comes into force on that day. 2020 Vision answer some pertinent questions

The General Data Protection Regulation (GDPR) has been a hot topic in the media at home and across the EU for a while, with talks on how this new legislation can impact different businesses across all sectors. But what is GDPR?

What is GDPR?

GDPR is a piece of European legislation that is set to be implemented on the May 25, 2018. Although Britain is leaving the European Union, we will be adopting this piece of legislation and it will replace the Data Protection Act (DPA).

This piece of legislation will help strengthen data protection across the continent and will impact any organisation that holds data — including those operating in the education sector.

What education organisations need to know about GDPR?

Educational institutions are some of the most dominant data collectors in the world — storing data on pupils (both past and present) and staff within the facility. Implementation of CCTV has been common in recent years within schools, colleges and universities — picking up surveillance footage daily and collecting data. Whether you store this data in a filing cabinet or back-up on an IT system, this will soon be impacted by GDPR.

The education sector, under the DPA, has a ‘duty of care’ and this highlights that institutes need to protect data at all costs and ensure that it is secure — removing any opportunity for data breaches. Although this will still apply after the introduction of GDPR, responsibility of data protection will be more intense, regardless of the format.

Those who do not comply with GDPR and do not make the appropriate changes in time for its implementation will suffer from intense fines. Currently under the DPA, schools could face non-compliance fines of £500,000. Under GDPR, this could be up to £20m — which equates to four per cent of global turnover for data controllers and processors.

 Data controller:

The data controller determines how personal data is processed.

Data processor:

The data processor processes data on behalf of the data controller.

It will become a criminal offence to pick a data processor that doesn’t have the minimum capabilities for IT asset disposal. Educational establishments will have to prove that they are working with a credible organisation when it comes to the disposal of data.

After May 25, schools will require a contract or a service level agreement to be in place with processors they decide to work with.

What those in education must do

The first step is awareness and you need to make sure that all people who handle any type of personal data are aware that DPA is changing to GDPR. Information audits will need to be taken out by educational establishments.

As children are usually involved, you need to put systems in place that will help verify a person’s age and then gather parental/guardian consent for any data processing activity that you might do. After a while of keeping student data, you will need to dispose of it — keeping in mind the students’ rights which can then determine how you delete data or provide data in an electronic format.

Procedures for data breaches must be put in place, too. All staff handling data should be aware of these procedures, appointing a data protection officer could be a worthwhile investment. It’s vital to continuously review the methods you have in place within an education sector when dealing with data and become more knowledgeable about the subject.

About the author
2020 Vision, a supplier of efficient access control systems, researched and provided the information for this article. 

Don’t forget to follow us on Twitter, like us on Facebook, or connect with us on LinkedIn!