GDPR: is your school compliant?

New research findings released by RM Education and Trend Micro show that fewer than half of UK schools and colleges (48%) believe they are fully GDPR-compliant. John McCaul, ANME member, IT manager and GDPR project lead at Holy Trinity Catholic School, offers a quickfire guide to ensure your school has a strategy in place to be fully GDPR-complaint

At the time of writing this article – almost one year to the day since GDPR came into force – it’s saddening, but not shocking, that half of schools are not fully compliant. It’s clear from comments he made at Bett 2018 that Sir Bob Geldof understood the additional stress and strain that compliance without additional resource would put on UK schools, and the education sector in general – but will the ICO be sympathetic to this argument, and what can you do to tackle the issue?
Never has such an important piece of legislation disrupted both the private and public sector in terms of compliance and governance. Not since the ‘millennium bug’ have we seen such widespread pandemonium across all industries. The thing is, GDPR did not stop on 25 May 2018 – it’s well and truly here to stay and will continue to protect us all – but at least the torrent of ‘Can we still keep sending you emails?’ emails have started to subside!
‘Over the last two years alone, 90% of the data in the world was generated,’ according to Forbes.com in May 2018 – so this rapid change in technology and how data is obtained, stored and processed has far surpassed the DPA of 1998. Whether you’re a multi-national, multi-billion corporate technology company or a small primary school, the law applies to everyone.
So, if you’re a UK school, and find yourself in the 52% on the wrong side of the law, hopefully this guide will help you down the path to GDPR-compliance to reach the pot of gold at the end.
Seven stages of compliance
‘Get Data Put Right’ is a great way to simplify what GDPR stands for. Like the seven stages of grief (and some of your colleagues may view GDPR as a form of this!) the following seven stages of compliance should get you well on the way to where you need to be.

1. Discover: find out where all your data – both paper and electronic – is for both staff and students. Set up a working party of key members of staff; assign stakeholders and designate areas of responsibility. The governors/SLT will need to decide, approve and appoint an appropriate data protection officer (DPO). If this is going to be an existing member of staff, it needs to be someone who does not have any conflict of interest arising from their day-to-day role. Designate internal information asset owners (IAOs) – eg. office manager, data manager, designated safeguarding lead (DSL), attendance officer, IT manager, etc. – to start creating information asset registers (IARs) relating to their areas of expertise. In this modern age, data is an asset.
2. Map: create a dataflow path for the school – where does data come into the school, where does it go out? How is it used, who handles it, and how is it processed within the school? Who does the school then share this data with? Are there agreements in place and what is their GDPR policy? At this stage, investing in a tool and wrap-around service, such as GDPRiS from gdpr.school, would be a wise and recommended move (other GDPR service providers are also available!) After discovery, get the working party to meet up again and report their findings – and focus on exactly who has access to what data, why they have access, and for how long it is required; in this way, you can paint the whole-school picture and build up a dataflow map.
3. Assess: classify your data as you see it – is it public, personal or sensitive personal data? A significant milestone here is performing data protection impact assessments (DPIAs). These are just like risk assessments for a school trip but, instead, relate directly to the data you hold and control in school; seek third party help if you’re unsure. DPIAs need to be done for old, current and new systems that you may use – be they paper or electronic. Assign a risk level and know your retention periods for all data; use the IRFS schools toolkit from the Information and Records Management Society (IRMS). Designate people in your working party to review data they are responsible for and classify accordingly.
4. Protect: ensure adequate protection is in place to secure both physical and digital data. Some examples of things to consider are software security, encryption of data, lockable filing cabinets, who has keys/access, do you implement a ‘clear desk’ policy, how often do you change passwords, and are they complex enough? Don’t forget to update your CCTV policy too – log all access and retrieval of footage to keep as evidence of compliance.
5. Manage: once you know where all your data is, and it’s been secured, it’s essential to keep on top of it. Of all the stages, this is probably the most important as it will feedback into everything you’ve done before – and everything you will do in future. Consent will also need to be obtained for using some, though probably not all, students’ and parents’ data for systems and processes in school. Some mandatory data does not require consent, but be careful not to overuse the ‘public interest/public task’ legal basis – and don’t forget your staff either! Statutory requirements and obligations to the DfE and LA may be included here.
   Having a support partner who can help and advise on these matters is extremely beneficial – a belt and braces approach to consent is never a bad thing. It’s also crucial that the school has an up-to-date privacy notice and data protection policy. GDPR compliance needs to be regularly checked, monitored and reviewed, with any data breaches immediately reported to the ICO within the new 72-hour window. Records of any subject access requests (SARs) need to be kept, and it’s essential to know and apply your retention periods on data. Record the removal and deletion of data for leavers after the retention period has expired and don’t forget that this applies to paper-based, ‘physical’ data as well as ‘digital’ data.
6. Train: GDPR applies to everyone – and the ICO will want to see evidence of training for all staff, and that it has been undertaken regularly. Let new starters know what your best practice is – eg. no USB sticks without password protection, or don’t take personal or sensitive data off-site in a briefcase. Educate your students, or ‘train’ them, as part of the curriculum and staying safe online. You may also need to tailor your training for people in areas of greater responsibility; a one-size-fits-all approach probably won’t cut it with the ICO! Some schools may prefer to deliver this as part of their inset programme; some may prefer to drip feed little and often – either way, ensuring everybody knows what they need to be doing is vital.
7. Report: GDPR compliance is not a destination; it’s a journey! Governors and senior leaders need to be updated by the school’s DPO regularly in order to highlight any issues or suggest improvements. Recording what you are doing and why you are doing it – and also where you want to be – is strong evidence of due diligence and compliance – and that’s what the ICO is looking for. The ICO’s job is to make sure that the school is being held accountable and taking its responsibility for data seriously.

Embrace the GDPR journey!
Whether you’re only just starting off on the GDPR compliance path, or you think you’re almost there, it’s important to remember that all schools are unique and all schools will not be in the same place – it would be a very dull education landscape otherwise.
Since GDPR came into force, and after reading the most recent ICO advisory visits and audit reports, it’s clear the ICO will not tolerate complacency or ignorance; it expects accountability. The ICO is not here to punish schools, it just wants to protect everyone’s data. Approach this in the same way you would any other inventory for classroom furniture or IT equipment in school – and, by the end of it, you will, hopefully, have found the whole process very rewarding. You may even be in awe of how much data your school holds and how well you do it!
Don’t forget to follow us on Twitter, like us on Facebook, or connect with us on LinkedIn!