GDPR for Schools
GDPR is just for large corporate? Right??
Wrong!!!
GDPR impacts anyone who holds, controls or processes personal data and that includes Schools.
In fact – because Schools retain the personal data of children (including those under the age of digital consent) and often hold Sensitive Medical data– GDPR is particularly relevant to them.
Should schools be concerned?
Absolutely – there is a feeling within some circles that if we ignore GDPR for long enough – it will disappear, or that it is the new Y2K problem – but in both instances, that is not the case.
If your school’s preparation is not yet underway – time is ticking in advance of the May 25 deadline for compliance.
What are the key questions for my School?
• What is GDPR: GDPR significantly changes data protection law in Europe, strengthening the rights of individuals and increasing the obligations and responsibilities for Schools in how they collect, use and protect personal data.
• Why should we be concerned: GDPR protects the personal data of everyone – which includes both School Staff, Parents & Most importantly – School Children – much of the focus has been on the penalties for non compliance but the real advancement here is the rights each of us have with regard to our personal data.
• Who needs to comply: Anyone who holds or processes personal data – this means both the School & 3rd party processors and contractors who might come into the school environment must be GDPR Compliant.
• What type of areas with schools might need review? Lots actually – for example – How the School obtained the data, how they store and distribute personal data, how they manage sensitive data such as Children’s Data or Medical Data, the security of their data systems (Printers/IT Systems/CCTV/Data Disposal etc)
• From a practical point of view – what are the essential steps Schools will need to take to become compliant:
Awareness – Schools should familiarise themselves with GDPR, the requirements, impacts, responsibilities and obligations (Optima Training provide training courses customised for Schools & Education)
Accountability – The School should complete a Data Audit – focussing on the Data they retain, indicating how they obtained it, for what purpose is it retained, how long they need it for and how secure they store it
Communication – How does the School inform people of how they obtain data – what media do they use to communicate their Privacy Policies & Notices
Personal Privacy Rights – Does the school comply with the rights that exist for their personal data – Accuracy, Fairly Obtained, Duration of Storage, The Non Transfer of data to 3rd parties etc
Data Access Requests – The School must put systems in place for provide access to the data subject of their own data – within 30 days and typically free of charge
Reviewing the Legal Basis for Holding Data – What data is collected and for what specific legitimate purpose?
Consent: Does the School have clear, unambiguous, documented and opt-in consent from the data subject for the person data which it collects or communicates?
Children’s Data – The school must pay particular heed to the data they hold on children (and Medical data – which is considered “Sensitive”
Risk Assessments – The School should implement systems for Data Privacy Impact Assessments & Privacy by Design & Default to ensure ongoing compliance
Data Breaches – The School should develop a Data Breach Procedure and implement the procedure if and when a data breach occurs – notifying the Data Protection Commissioner within 3 days
Point of Contact – The school should nominate a point of contact who will assist and advise staff and families with GDPR, who will monitor compliance who might be a Data Protection Officer
• How do I find out more? Optima Training are running GDPR Preparation Courses – http://www.optimatraining.ie/product/gdpr-essentials-workshop/ or http://www.optimatraining.ie/product/general-data-protection-regulation-gdpr/
• They also customise and deliver onsite courses in schools all over the country – Call them on 061 514744, email GDPR@OptimaTraining.ie or visit www.OptimaTraining.ie