GDPR: year one

One year on from the implementation of the new GDPR framework, Hazel Davis asks how the education sector has adapted to the new regulations

The lead up to the GDPR (General Data Protection Regulation) implementation last May brought with it a flurry of activity. GDPR – which everyone in edtech knows by now – applies to any organisation that handles personal data within the EU, regardless of location, and educational establishments are no different. The legislation has necessitated changes in all sectors, some of them less dramatic than was previously trumpeted, some of them more so. But how has the education sector fared? 

It’s fair to say that most educational establishments should have already been pretty tight on data but GDPR meant increased documentation to demonstrate compliance, the appointment of data protection officers, processor agreements (for any third-party processors). It (should have) also included increased staff training. 

Day-to-day data

Craig Carrington is head of marketing at the Smallpeice Trust, an independent charity providing programmes to promote engineering careers to young people aged 10–18. Like many, he says the GDPR regulation has had little effect on the charity’s day-to-day activities. “We were already steadfast on the management of students’ data,” he says. “A lot of our activity involves running engineering-based courses at universities and these courses are normally three to four days long and require students to stay overnight at university accommodation. This means that we need to collect certain information, such as email addresses, parents’ contact details and school details.” In this regard, he says, “we have always been transparent on what data we collect and what we do with it.”  

The trust is investing heavily in a new CRM system to streamline the operational effectiveness and security of all its data. This is part of a two-year project that will result in a CRM system capable of handling all data for both engineering courses and scholarships to improve customer engagement.

Responsibility for complying with GDPR has fallen on existing staff such as the school business manager or bursar, often without the necessary training nor any additional resource – Steve Forbes

However, like everyone, the trust has had to make changes to its data-handling policies to reflect the law’s changes as well as minor changes to application forms. GDPR has had an effect on how the trust’s marketing team operates. Carrington says: “Our fundraising model requires evidence of impact of our courses and services, which means we take pictures of students on our courses and gather first-hand feedback. We do this to demonstrate the impact our courses have had on young people, which our funders like to see. 

We now ask students to agree to a ‘comprehensive’ media distribution document listing the many channels where their ‘image and quote’ may be published. This can be quite a tedious process for the student.”

Money matters

For the Smallpeice Trust, the cost implications of GDPR have been minimal: “We sought advice from our retained legal advisors on GDPR, so there was no extra cost as this is built into the retainer fee. There was no cost to change internal documents and minimal cost to change website application forms by our web agency.”

But for other organisations who may not have been so stringent with their data policies, says Carrington, GDPR can only be a good thing: “They have had to upskill their staff and systems for the benefit of everyone.”

The big picture

One of the most challenging aspects of GDPR for the Smallpeice Trust, says Carrington, has been understanding the sheer scope of the regulation. “We were bombarded by agencies and organisations claiming to be experts on the subject matter,” he says, “and I was particularly disappointed with how GDPR was positioned by these ‘experts’ – very negatively – with the potential consequences of failing to adopt GDPR highlighted as the main factor for change.”  

“Most schools have always understood the need to protect their pupils’ personal data, and so we have not experienced GDPR being a game-changer for education establishments in terms of how they handle data,” says Matthew Cole, employment partner and head of data protection law at Prettys solicitors. “True, many have had to incur the additional costs of buying in the services of a data protection officer to issue privacy notices, but on the whole schools have coped well.” 

But it’s been interesting to see how new technologies affect compliance and the shift of responsibility, Cole says: “For example, the increasing use of fingerprint access to cafeterias and printers. This is biometric data, which is highly protected under the data protection regime. However, what we are finding is that schools buy into these services from third-party providers who are – if they are worth their salt – aware of their obligations, and those of the schools. So in many cases these providers ensure a degree of compliance and information security that the schools would not be able to replicate themselves.” 

Example of GDPR recorded data

One big issue that’s easy to overlook by education providers, says Cole, is compliance involved in the ecosystem that tends to exist around schools: “School transport, for example. Increasingly CCTV footage is taken on school buses and there have been a number of issues around how the processing of that data is communicated to young people.”

Another GDPR pressure point can be parent-teacher associations. These are often run by a group of parents who are reliant upon the school for providing contact information. Cole says: “Many do not have the resources to ensure that data is kept secure – that retiring members are deleted from Whatsapp groups for example. Schools have had to educate these groups and in some cases work hard on ensuring compliance.”

Taking care of business

For edtech businesses, it’s crucial to see technology as an educational enabler, not a hindrance. RM Education provides IT products and services to educational organisations and establishments. “We have a vested interest in helping school leaders get the most from technology,” says Steve Forbes, the company’s principal product manager. “While the data protection law should be seen as a sensible piece of legislation to better govern how personal data is managed, given the well-documented budgeting challenges many schools face, responsibility for complying with it has fallen on existing staff such as the school business manager or bursar, often without the necessary training nor any additional resource,” says Forbes. 

The new laws are complicated, “and simply sending someone on a one-day course and hoping that they are now an expert, is at best, optimistic,” Forbes says. “Many schools have been unable to do more than the minimum, potentially leaving themselves exposed to data breaches, and we are not surprised to see the latest ICO data suggesting an increase in data breaches being reported by educational establishments. Working with a technology partner can lessen the burden that this brings for such schools, albeit without removing all of the obligations.”

With budgets at breaking point, the last thing schools and trusts want is another thing to spend money on but this, says Forbes, is all well and good, “until a major data breach hits the headlines, forcing the ICO to take much stronger action.”

You might also like: Data security and best practice for GDPR