The obvious question is: “where do I start?” Typically, the first place most people begin is by reading the Information Commissioner’s Office (ICO) overview of the GDPR and GDPR: 12 steps to take now, and are thinking, “what does this mean for me?”
Whether the new regulation represent revolution or evolution for your organisation depends on current practice, but generally speaking I’d recommend 3 things:
1. Focus on why this is important
Sure, it’s legislation, and there are potential fines for serious breaches, but for most schools the focus should be on the third word in the title: ‘Protection’. It’s about keeping the large volumes of sensitive data about young and sometimes vulnerable children safe. A pretty essential thing to do well, and something that can help get your staff engaged in a more effective way than quoting mandatory work just to comply.
2. Work out what’s new about the regulations
In particular, there is a shift in emphasis which means that data controllers, like schools, not only need robust processes and controls, but need to be more pro-active in demonstrating them. There are also more things considered as sensitive data, and the bar is raised on where citizens should have transparency and choice about where their data goes.
3. Understand your school’s data ecosystem
Any data controller should be on top of protecting sensitive data know where it is stored, where it goes, and what is done with it. Can you draw that for your school or organisation?
Initial steps to take now
Working with the head teacher and business manager, here’s how I went about it at Dobcroft Infant School…
Step 1: Think where personal data is captured during school life – this is likely to include admissions, parental forms, assessment, school trips etc.
Step 2: Think about where that data is used – generally it’s for contacting people, for tracking education, or for maintaining regular school facilities and activities like libraries and canteens. Several, but not all of your systems, may interconnect with the core management information system (MIS).
Step 3: Think who you share that data with – for schools this commonly includes local authorities, multi-academy trusts, the DfE and beyond.
Building a picture of your new data landscape
You might already have that picture. You might not, and if not, just have a go…you won’t get it right first time, but show it to a few colleagues across the school, iterate it a few times with them and you’ll be that bit closer to de-mystifying GDPR.
The working version at My infant school is looking like this:
That overview sets me up for the next task – showing where the sensitive data is in that ecosystem, and the associated security.
Looking ahead, schools will want to think about how I evolve My privacy notices and messages to parents. Investing some time now in doing the work outlined above will be a good step to support communicating to parents and pupils about what data you process and why.
The role of Data Protection Officers under GDPR
There’s also plenty to think about in terms of an appropriate Data Protection Officer role – the focus of which shifts slightly under the proposed GDPR towards managing subject access requests, ensuring staff are aware and up to date with their responsibilities and the legal principles under which data is processed.
As the education sector prepares for May 2018, whilst DfE cannot give advice to individual schools, I will be talking with the ICO about the top issues schools ask and I’ll make sure to blog further thoughts and recommendations. Online forums can also help the sector collaborate and share approaches and questions about data protection, data handling and GDPR.