GDPR - A Few Practical Questions

There is no doubt that GDPR has been generating considerable debate and discussion for schools. With warnings of gigantic fines for being in breach, many schools have been worrying about what to do. While the risk of fines needs to be taken seriously, the reality is that the Information Commissioner (ICO) is not sat salivating at the prospects of fining a school. It is important for schools to be actively working towards compliance, but if a school has got the basics in place then the risk of a fine is very much reduced. It's also important to remember that fines are the most draconian sanction that the ICO has and would only be used in instances of a very serious breach.

What are the basics of GDPR? 

GDPR has a principle of accountability which ensures that the data controller (the school or Trust) "shall be responsible for, and be able to demonstrate compliance with" the data protection principles. Conceptually, this is not too different to safeguarding. When it comes to safeguarding we know there is a legal duty to keep children safe, we know we need to follow Keeping Children Safe in Education, we know we need to have a policy, train staff about the policy and have an audit trail to demonstrate compliance. This is the same with GDPR.

When thinking about GDPR compliance some, of the following questions may be helpful to consider:

  • Have we updated our Data Protection policy to take into account GDPR?
  • Have we updated our privacy notice to take into account GDPR?
  • Can we evidence that we have asked contractors if they are GDPR compliant?
  • Have we appointed a DPO?
  • Do we have a register of breaches?
  • Are all staff aware of their duty of confidentiality? Would they know what to do if there was a breach?
  • Do we have good knowledge about what personal data we collect, how we process it, who we share it with, and how it is kept secure?

In reality many schools will already have the key foundations for good data protection practice. It is very much building on and refining what is already in place and thinking about what is happening in practice with personal data.

For more information, please contact the Education team.