Can schools really achieve 100 per cent compliance with the GDPR?

This week’s Educater guest blogger is Lynne Taylor from GDPR for Schools, pictured right, discusses whether schools can realistically achieve 100 per cent GDPR compliance.  

Since 25th May, 2018, the lack of understanding and knowledge of the new data protection law has given us more fairy tales than the Brothers Grimm could ever have imagined! None more so than within the education sector where fear of being held to account has led a myriad of myths and an attitude of ‘better to be safe than sorry.’

Even the Information Commissioner’s Office, ICO, in their Christmas blog, recognised the silly things people have done in the name of GDPR.

Below my favourite because it drives home that many schools do not understand the purpose of data protection.

ICO Christmas Blog

Parents can’t film or take pictures of their child’s Nativity play

This old chestnut was also a common misconception under the previous Data Protection Act 1998 and is an example of where some organisations routinely but incorrectly cite data protection law as a reason for not doing something.

Schools may have their own reasons for preferring parents don’t photograph or record performances – for example, child safeguarding issues or commercial considerations but as long as the filming or photography is for your own personal purposes, then there is nothing in data protection law, past or present, which prevents this.

So, what does this really mean? Schools stay within the law if they allow parents to take videos and photographs of events at school. However, if schools have other valid reasons not to allow this that’s OK but they must not use data protection as their justification.

 

Achieving 100% compliance – is it possible?

Whilst perhaps some readers think it is possible to be 100% compliant, any school aiming for 100% compliance is sadly going to fail.

A leading barrister recently said ‘I can give you a solution that will make any school 100% compliant. Close the school, knock down the buildings and incinerate every piece of paper and device. Instruct your data processing agents to destroy all your data. Only then can they be 100% GDPR compliant.’

The essence of GDPR compliance is to ensure that you are doing everything possible to protect the data you process and be able to provide evidence of the steps you have taken. Implementing a good data protection culture in a school or a trust must involve assessing the risk of personal data being accessed and used to harm or hurt the data subject. The risk can NEVER be zero. Low or insignificant risk of a data breach is your aim.

Schools and trusts have a superb culture of protecting all aspects of a child’s well-being. Stepping up to the challenges of the new data protection law will be a natural progression, and one which schools and trusts will take in their stride.

 

An important part of schools’ ability to comply

The Data Protection Act 2018 (DPA18) is now UK law and incorporates nearly every GDPR statement and more. It is hoped, and expected, that all leadership and governance teams understand fully their responsibilities to meet the new requirements. However, implementing the changes necessary to address this new law is a challenge. Most schools or trusts know that they need to do something but are not always sure exactly how this should evolve. This is exactly where a Data Protection Officer (DPO) becomes key to helping you comply.

It is mandatory for schools to have appointed a DPO, either internally or using an external DPO service.  Your DPO will, and must, be at the centre of your data protection compliance pathway.

 

DPO’s assumed legal duties

  1. Is the school or trust registered with ICO and is the registration up to date? Go to this ICO page to check details are correct and you are fully paid up.
  2. Has ICO been informed of the DPO details. This is a new requirement; find how details of your DPO can be logged here.
  3. Do your data subjects know how to contact your DPO?
  4. Does your DPO report regularly to your governing body on the state of data protection within the school or trust?
  • If you can answer YES to all – Excellent!
  • If you answer is NO – Not good – you have work to do!

…. and just a reminder it is you the data controller who is responsible in the event of a data breach not your DPO whether internal or external.

For more information on GDPR For Schools, please visit their website www.gdpr.school or call 02039 610 110.