Are schools ready for the GDPR?

There’s a lot of talk online about businesses becoming ready for the General Data Protection Regulation compliance deadline of May 2018, but what about all the thousands of schools out there?

All schools, whether they’re private or public, need to comply with the GDPR. When the GDPR comes into play, schools will need to have their data protection programmes already operating. So where to begin?

The first thing a public school needs to do is appoint a Data Protection Officer (DPO). The regulation stipulates that every public body bring a DPO on board to draft and execute an implementation plan for compliance. The DPO may be in-house or contracted out but either way they need a solid understanding of the legislation and data management systems and practices. To assist the DPO, certain tasks will need to be shared out amongst staff, so decisions on who does what need to be made.

Schools will also need to allocate a budget for the GDPR, particularly in the first year when the data protection programme is being implemented or refreshed . In subsequent years when systems are in place for collecting, storing and processing students’, teachers’ and parents’ personal data, the regulation will require less effort to maintain. Don’t forget though that becoming compliant with the GDPR isn’t a one-off exercise. It will require periodic reviews, ongoing vigilance and maintenance of processes such as data subject access requests – to ensure parents’, students’ and teachers’ data rights are protected.

Schools will need to raise awareness amongst staff, parents and students to introduce them to the DPO and to educate them on what the impact of the regulation on each of them will be. The DPO will initiate a plan of action to gain consent for the school to hold personal data of new and existing students, parents and teachers. They need to be told how long the school will keep their information and have a choice in terms of how the school shares or processes it. For example, transferring it out of the EU or making it available for research purposes. For students under 13, parents will need to give consent. And when new students arrive obtaining this consent will be part of the enrollment process.

 There’s a lot that schools need to consider in developing a legal data protection programme – completing an initial audit, drafting the school’s data protection policies, adjusting the enrollment process and implementing an awareness and training schedule. A DPO for a school will probably need three months to develop the programme and another three months to implement it – and all this needs to be done before the end of May 2018.

Compliance governance software like GDPR365 can reduce programme development time by a third, but it’ll still take three months to implement the plan. With little more than six months to go, if you haven’t already, get started today.

image credit: http://academytoday.co.uk/