There are big changes heading for schools next May in the way they collect and manage their personal data
From May 25, 2018, the General Data Protection Regulation (GDPR) will replace the current Data Protection Act and there are huge fines for non-compliance.
If you’re complying with current Data Protection law, that’s a good start. But don’t assume you won’t need to review your processes. This is a major overhaul of many of the existing data protection rules. Some will remain the same, but many will differ. For example, you will need to review clauses relating to how you use staff and pupil data and revise your data capture processes and data termination procedures.
You will need to carry out Privacy Impact Assessments (PIAs), understand new terms such as pseudonymisation, conduct Data Protection Audits and regular policy reviews. Specifically, GDPR is likely to require schools to review their data protection policies which are used to explain an individual’s legal rights. Due to GDPR amending the rights, school policies will also have to be amended.
Review, review, review
Schools will need to review how they record consent for processing personal data and consider if any changes are required under GDPR. Meeting the new criteria for valid legal consent under GDPR will be more difficult than it has been previously.
Most schools will be required to appoint a Data Protection Officer (DPO). If you don’t already have a DPO, you will need one. You will need one capable of understanding the complexities of what is required, and one capable of implementing such a sizable project.
Further, given the recent increase in ransomware attacks and data breaches, in addition to reviewing your policies, processes and procedures, it is advisable you check your network protection. You can have the best set of procedures in place, but if your network is vulnerable to a data breach, you could be facing a truly hefty fine of €20M or four per cent of your global revenue, whichever is greater.
It’s worth asking your broadband provider just how robust their firewalls and security are. Gartner, the world’s leading research and advisory company, shows network security offered by some well-known broadband providers, don’t actually feature on their firewall or Unified Threat Management (UTM) capability charts. Worrying if your security set-up falls into that camp. Review your security now, and if it’s not up to the job, change it. Don’t leave it until it’s too late.
Choose an Internet Service Provider (ISP) who can offer a full suite of Unified Threat Management (UTM) applications and who can take care of your end-point security and perimeter protection; this will be a big step towards fulfilling the security element of GDPR criteria. One that can offer proactive reporting and response is going to further help schools meet the GDPR’s stipulation to report and investigate a personal data breach within 72 hours.
Schools Broadband, the school network security and filtering specialists have produced a ten-step guide to help schools kick-start their journey to GDPR compliance. Access it here.