There’s no doubt that the new GDPR requirements are complex. They span governance, data protection and cybersecurity, and impose significant penalties on those who violate the regulations. Mark Orchison, managing director of 9ine, independent technology specialists in education, says: “From our experience, leaders are finding it challenging to get accurate advice and guidance on the application of the GDPR.” Unlike other regulations, the GDPR requires organisations to make decisions based on their own circumstances and informed by the level of risk to people’s rights and freedoms, not to mention cybersecurity threats and the type of data you’re dealing with – so there’s no single answer. But as a result, Mark says: “We are finding that school leaders are becoming paralysed through the feeling of being overwhelmed by the changes and knowing what to do.”
So how should schools and universities proceed? Making sure that there is a team to respond to the GDPR requirements is crucial, although it looks as though schools will still need data protection officers, who should already be in place. In fact, local authorities are expected to provide a data protection officer service to maintained schools, but this may not always be the case.
Moreover, the responsibility for GDPR compliance lies with individual education organisations, so they will need to shoulder the responsibility. Tony Sheppard at GDPR in Schools says: “No individual can make a school compliant. No supplier can make a school compliant. It is only the school that can do it, ensuring you know what data you have got, understanding retention schedules, making sure that each ‘system’ has a nominated owner, and everyone pitching in.” He particularly recommends the Information and Records Management Society’s school toolkit for help with retention schedules for data.
One option, of course, is to outsource some of the data protection responsibilities, to get experts into the mix. But Mark recommends that the starting point is to brief the governing body and senior management team on the obligations. A GDPR project lead can research the implications on the university or school and be the person who communicates this to all individuals within the organisation. You can then look for other individuals with expertise in HR, ICT and management to support the GDPR lead in managing a programme for compliance. The actions of a single individual in an organisation could be critical, so it’s crucial that everyone in the organisation is aware of the need for compliance.
For more help, institutions can look at the information on the Information Commissioner’s Office website and 9ine has created a GDPR readiness toolkit that is available in Excel and Google Sheets that gives schools a structure and steps to follow. Tony Sheppard points to historic advice and guidance from Becta [released 2008–2010] that you can find on the National Archives website by searching for ‘becta archives data protection’ online. He says: “Many schools are unaware of the existence of this groundbreaking work which applies as much today as when it was written.”
Once the team is in place, those involved need to understand the full meaning of ‘compliance’. Mark says: “The common perception is that we need to stop everything we are doing in order to become compliant by May 25. This is incorrect.” In fact, education organisations simply need to fully understand their own processing activities as a starting point. He goes on: “Schools also need to assess their ICT infrastructure, document all systems, their configuration, and assess them for vulnerabilities to cybersecurity threats. Schools should research the 10 steps to cybersecurity and cyber essentials, and ensure they are following both of these (and have documented how they are doing so) to support in evidencing compliance with Article 32 – Security of Processing, of the GDPR.”
Further, universities, further education providers and schools need to assess various risks of what they are currently doing against the rights and freedoms of so-called natural persons. They also need to assess the cyber and data security risks pertaining to those processing activities and work out the resultant risk and what mitigating action they’re going to take. Mark explains: “The mitigating actions for the risks need to be proportionate to the resources of the school, with the school also having to have adopted structures and resources to prioritise compliance with the regulation. By undertaking those tasks, the school is demonstrating goodwill and by our judgement, evidencing compliance with the regulation.”
So how will the new GDPR rules affect data systems in education? Amber Badley, director of Firebird Data Protection Consultancy, explains further what the new rules will mean: “There are new requirements to investigate and notify the Information Commissioner’s Office (ICO) and data subjects about data breaches. In terms of compensation and fines, data subjects have the right to receive compensation if they suffer damage as a result of a data breach and organisations can be fined up to 10 million euros for a breach. Moreover, there are tighter rules around obtaining consent from adults and children. In terms of citizens’ rights, people have new and enhanced rights. There are several new accountability obligations for schools to fulfil under the GDPR, to demonstrate they are complying.”
And if you’re running behind, Mark Orchison says that the best area to prioritise is data mapping. He explains: “Schools must map their data processing activities, the transfer of data internally and externally, and the risks against the rights and freedoms of natural persons.” It’s clear that education providers need to do the groundwork now to put in place systems to support GDPR compliance long into the future. As Tony Sheppard says: “We need to remember that this is a journey, it is not a deadline.”
Technology to help with compliance
Amber Badley from Firebird offers tips for how technology can help:
1. Use policy sign-up tools to record and track when employees have signed important policies like the organisation’s data protection policy.
2. Use cloud computing for document storing or sharing – providing you use trusted and secure providers and seek advice from IT support before saving any personal data in the cloud.
3. Publish policies on the organisation’s staff intranet or on the internet to ensure they are easily accessible and not held on a shelf somewhere collecting dust!
4. Use electronic Subject Access request (Data Protection Act) and Freedom of Information Act request logging and management systems. These allow you to work out the deadline date accurately and store the case file information in one place for easy access.
5. Scan paper-based files and use electronic filing systems to ensure that personal data is easily accessible to the right people when they need it and there is restricted access for those that don’t. Electronic filing systems will also help to record and prove when consent has been obtained.
6. Take encrypted laptops to multi-agency meetings, instead of carrying paper documents containing sensitive information, to avoid accidental data breaches caused by leaving paper documents behind or dropping them in a public place.
Our experts’ resources:
Firebird Data Protection Consultancy: www.firebirdltd.co.uk
Information Commissioner’s Office: www.ico.org.uk
Information and Records Management Society’s school toolkit: https://irms.org.uk/page/SchoolsToolkit