The data protection time bomb in schools
Yes, you read that right!
Unless schools have started preparing for the implementation of the new General Data Protection Regulations (GDPR) in May 2018, which brings massive changes to data protection, they really are sitting on a ticking time bomb.
The new regulations are intended to strengthen and unify the safety and security of all data held within an organisation. It will bring new demands and challenges that will impact school resources and ultimately finances.
As the ‘data controller’ schools are required to observe various principles when processing personal data. Whilst almost all current data protection regulations will remain, there will be significant changes. This will transform the way schools handle data and data breaches, ultimately changing the way they approach and manage information. Failure to demonstrate GDPR compliance can result in huge fines and other penalties.
3rd party school suppliers that process personal data on behalf of schools are ‘data processors’. Under GDPR data controllers and data processors have equal liability in the event of a data breach. Blame can no longer be assigned. In addition, any data processors that schools work with MUST be GDPR compliant. It will become a criminal offence to work with suppliers that are not compliant.
As public bodies, schools are mandated to appoint a data protection officer (DPO). The role of the DPO is to oversee data controllers to ensure that they are complying – the DPO has no liability if the school does not comply. The liability lies squarely on the shoulders of the ‘data controller’ – the school.
The key changes under GDPR that schools need to be aware of, and prepare for, include:
- Greater focus on accountability – schools must be able to demonstrate compliance
- Compulsory to have a DPO
- Mandatory to report data breaches within 72 hours
- 3rd party data processors must be GDPR compliant, it will be a criminal offence to work with suppliers that do not comply
As with most things in life, preparation is the key!
The Information Commissioners Office (ICO) published a “12 steps to take now” guide for business that our partner GDPR in Schools has adapted for schools. Visit www.gdpr.school to download the “12 steps to take now for schools” or request a free copy via email email@example.com