The GDPR compliance deadline may have passed – but this doesn’t mean the job is done. With the number of data protection complaints soaring, there’s a need to check you have the systems in place to ensure ongoing compliance. We checked in with Christine Jackson, partner with law firm Wright Hassall, for her advice on staying compliant
The new General Data Protection Regulation (GDPR) is designed to offer individuals greater protection over their personal information and also to change organisations’ attitude towards the data they gather, process and retain.
Intense activity to achieve compliance by 25 May appears to have distracted some organisations, however, from the need for ongoing compliance – data protection complaints have more than doubled in the UK since the new regulations were implemented; the Information Commissioner’s Office (ICO) received 6,281 complaints from 25 May to 3 July, compared with 2,417 in the same period in the previous year.
The media focus has highlighted how large commercial organisations, like Facebook, have already breached the new regulations – with large fines imposed – but schools also have critical data protection risks which must be addressed continuously.
Your school should, by now, have policies, procedures and robust systems in place to protect the data your school holds; however, in order to make sure your school remains compliant, you must be vigilant and seek out potential problems before they appear.
Educate and comply
Having appointed a Data Protection Officer (DPO) – who could be an external provider to your school only or shared across a group of schools – it is crucial they continue to educate all staff about the importance of data protection – compliance is everyone’s responsibility.
Do not assume that everyone in the school is familiar with the processes, and what is required of them, let alone the consequences of not following them and exposing the school to risk. The choice of the best person to be the DPO can be tricky but, once made, do not worry about changing who it is; the expertise required by the individual is not clearly defined, but must be proportionate to the sensitivity, complexity and quantity of data being processed.
Your DPO must have a deep understanding of the GDPR and your school’s processes, the information systems used and your data security, along with a good knowledge of your administrative rules and procedures.
Schools are a special case, dealing with a lot of sensitive data that can become more sensitive over time – for example, when children become old enough to own credit cards; compromised data could be kept for years until names, family details, dates of birth, addresses etc., become useful to fraudsters.
Plan and inform
Despite good processes and a competent, committed DPO, it’s still best to draft an ‘incident response plan’. If you suffer a serious data breach this plan, which should be known to everyone, can be implemented quickly to reduce response time and present a unified front in dealing with the problem.
Your DPO will maintain the breach register, which logs every event, however small; it is important all your people know what a breach looks like and that they must inform the DPO. A serious breach – one that affects the rights and freedoms of individuals whose data has been compromised – must be reported to the ICO within 72 hours.
Humans and errors
If a data breach occurs in your school it is likely to be human error, rather than deliberate action, that causes the problem; unfortunately, the consequences can be similar, regardless of the cause. Email is likely to be a common factor in most accidental breaches and the training of your staff members should reflect this.
When popular apps – like Outlook and Gmail – autofill fields in emails they, typically, use the last or most popular address which, at a glance, might look right, but could actually be the wrong recipient with a similar spelling; turn off autofill in your school email systems.
Also ensure you have BCC – blind copying – enabled, and be certain your staff know to use this field for multiple recipients. Using BCC means recipients will be unable to see who else has been included in the message, thereby protecting these email addresses, which could be sensitive. Make sure you enable BCC.
Paperwork and devices
GDPR applies to data, however it is held, so paperwork counts too; where it is part of, or intended to be part of, your filing systems it should be included in your data security processes. It should never leave school premises unless completely necessary and it should be destroyed completely – safely and effectively – when no longer needed.
Any devices used away from school must be secure and, ideally, should be encrypted. Microsoft’s Windows operating system offers BitLocker as standard; this makes it almost impossible for data to be accessed if the device is lost or stolen.
If your school currently allows staff to access school data using their own devices, you should consider rescinding this option in order to deliver better security, maintaining control over every device that can access your sensitive data. If your school persists in allowing access this way, it should insist on additional security that prevents data being downloaded to devices – allowing only access to read it whilst keeping it within the school’s network.
Breaches and outcomes
When you suspect a breach has occurred you must assess whether the likely impact on the individual(s) concerned will be negative. If it will be – that is, if it affects the rights and freedoms of that individual – then the breach must be reported to the ICO immediately. If the likely impact is not deemed to be negative, internal lessons must still be learned as to the cause of the breach, with changes in procedures made as a result, where appropriate.
Schools will attract increasing scrutiny from the regulatory authorities, given the sensitive information they are responsible for and the growing volume of data they process – but GDPR is not intended to catch schools out and punish them; the regulation is designed to change attitudes to how data is gathered, managed and stored, with privacy accorded the importance expected by the public. Ongoing compliance is a good way to gain the trust of staff, pupils and parents.
If your school gets this right – through continued training, awareness and communication – people will trust that you know what you are doing with everything else you undertake – which is critical to your long-term success.