With the General Data Protection Regulation (GDPR) coming into effect in May, schools must begin putting their plan together sooner rather than later if they are to achieve compliance in time for its arrival, according to Paula Tighe, information governance director at law firm Wright Hassall
It’s essential that key decision makers within your school take the time to fully understand the new regulations and allow sufficient time to push through any necessary changes to procedures and processes once the GDPR comes into effect.
The basic principles will be the same for every organisation, regardless of how much data you process, so it is crucial that you address the new regulations to avoid any serious consequences for non-compliance later down the line.
Remember, the fact that the UK is leaving the EU does not alter the requirement to comply. It doesn’t matter where in the world your data comes from – if it is used, recorded, or processed in the EU, you will still have to comply with GDPR.
Raise awareness and register it
The first step is for you to ensure that all the decision makers in your organisation understand that the law is changing and that the implications for non-compliance are serious. To help mitigate any risk of incurring penalties for non-compliance, it is important that your business starts recording the transition process over to GDPR.
Also known as the ‘Data Register’, this record will show what data your school currently holds, your reasons for processing it and how it has been obtained in the first instance. This will help you comply with the accountability principles of the GDPR, which requires you to have effective policies and procedures in place.
Review and amend your processes
Rather than preventing you from doing things, GDPR compliance aims to improve standards and practices by encouraging you to adapt and change existing procedures, making them more efficient.
Review your existing digital and hard copy format privacy notices and policies; are they concise, written in clear language, easy to understand and easily found?
Finally, review how you communicate these notices and policies with data subjects, ensuring you explain your reason for processing the data,
how long you will keep it and how individuals can complain to the Information Commissioner’s Office if they think you’re doing something wrong.
Rights of the individual
Post-GDPR data subjects will enjoy much greater control over their personal data. Check your procedures and amend if necessary, detailing the format in which you will provide data, how you would delete it, and how you will correct mistakes.
Individuals also have the right to have their information erased and forgotten. You must be able to prove that you have a process in place to comply with such a request, if challenged in the future.
Perhaps one of the key drivers for the changes, is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision-making and profiling.
Having transparent procedures in place will go a long way towards heading off any future problems with the regulator, regardless of complaints or investigations.
If your organisation already handles data carefully under the current data protection laws, the switch over to GDPR should not be a real cause for concern.
Prepare for personal requests
If an individual makes a subject access request (to see what information you hold on them) you must be able to comply within a month and for which you cannot charge.
You can refuse to comply if you think the request has no merit, but you must tell the individual why and explain that they have the right to complain to the regulator.
Key areas to remember is have a procedure to identify requests, assess if they are not excessive which makes them impossible to respond to and have a transparent approach to acknowledging and disclosing the data in accordance with the GDPR.
Again, in all reality, it will be more important to show a willingness to comply by endeavouring to put in place all the necessary steps and recording the process in the data register, than it will be to be fully compliant on day one.
Never assume you have consent
Although it may sound straightforward, the rules for obtaining consent for personal data to be captured and used for more than just contact can be easily misunderstood.
Although an individual must give clear consent for their data to be used, they must be allowed to revoke their consent just as easily, at any time.
And, if you change the way you want to use their data, sharing it with a new partner for instance, you must obtain a new consent.
Again, whilst consent can never be inferred and must be implicit, your attempt to obtain and confirm consent, even if you do not receive a reply, will help mitigate any future problems at the hands of the regulator.
Keep reviewing and recording
Under the GDPR and when you are obtaining and processing personal and sensitive categories of data, you need to record how this data will be retained and under what condition; for example, is the retention period required for legal, regulation and/or organisational purposes.
The new regulations bring a requirement for all business affected by GDPR to not only have a retention (data minimisation) policy and schedule, but to carry out mandatory Privacy Impact Assessments (PIA) if they want to process personal as part of normal business practices, or if it is to be processed on a new technological or information society system, or if it contains sensitive categories of data.
These assessments will help you determine the likely effects on the individual, mitigate any risk and help you build in ‘privacy by design’ in how you obtain and process individuals data.
Ensure you have a robust process for making the assessments and then record it, along with the outcome – a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do.
Make someone responsible
It could be worth appointing a dedicated Data Protection Officer to oversee procedures.
It does not necessarily have to be someone within your organisation, you might choose to appoint an appropriate individual on a part-time or consultancy basis. It is also important to ensure all your staff are trained on the correct handling of personal data.
It is not just electronically-held data that can pose a problem; you need to be aware of other data records, including index cards held within your organisation as these are also covered by the regulations.
Record how you handle each step of the process in your Data Register. In the event of a complaint or a data breach, it will be those organisations unable to demonstrate what they did to assess risk and mitigate it that will suffer.
Those schools that make an active effort to meet the new requirements, even if they are not fully compliant come May, will fare much better than those who disregard the changes.