Tuesday, 10 October 2017

GDPR - top tips to get compliant

It’s that time of year again, the summer break is over and it is back into the routine for another academic year. Any bursar will tell you that September is an extremely busy time of the year with a seemingly endless list of things requiring attention. In the hubbub of the new academic year, it is easy for tasks to be put on hold, which is why I am taking an opportunity in this edition of ‘educateIT’ to gently remind headteachers and bursars of a deadline that is now two months closer – the GDPR regulation.

I’ve spoken so much with bursars about GDPR recently that I am starting to feel like a broken record, but the reality is that it is so important that it will be on the agenda right through until the 25th May 2018 deadline and beyond.

After a well-deserved 2-month break, you may be racking your brains to remember exactly what GDPR entails. The General Data Protection Regulation (GDPR) is a piece of EU legislation designed to provide a common data protection policy amongst EU member states. When it comes into effect next May, it will supersede all existing data protection regulations (in the case of the UK, that is the Data Protection Act 1998). Because current data protection legislation differs across member states and was introduced before the cloud and social media, it was clear that modern legislation was required.

No doubt that if you have heard about GDPR, you will have heard the scare stories about fines of up to €20 million for non-compliance. As an independent school, it is unlikely that you could ever face such an astronomical fine for non-compliance, these fines are reserved for the worst offenders. However, it is a safe assumption that under GDPR fines for non-compliance will move up the value chain. For more on GDPR, read my blog from March 2017 entitled “GDPR – What’s it all about and how does it affect Independent Schools?”

During my visits to Independent Schools at the tail end of last term, I was frequently asked when would be a good time to start tackling the issue of GDPR compliance. At that time, I urged schools to begin work as soon as possible – since compliance is not something that can be attained overnight. In the new academic year, with the deadline less than 9 months away, my message is that if your Independent School hasn’t begun the process of GDPR compliance, it should be as near to the top of your agenda as possible.

With that in mind, what are some key considerations an Independent School should make as it progresses towards GDPR compliance?

Firstly, it is a good idea to get acquainted with the Information Commissioners Office. This is the Data Protection Regulator in the UK. Under GDPR, an organisation that experiences a data breach of any kind is obligated to inform the ICO of the breach, exactly what was exposed and what measures are being taken to mitigate damage, within 72 hours of discovery. Failure to do so is an offence and will result in a fine. Furthermore, GDPR requires certain businesses to appoint a dedicated ‘Data Protection Officer’ who is an expert on GDPR. The details are a little cloudy on this at present, but it is quite possible that schools will fall into this category.

The next consideration involves processing of personal data and consent. GDPR gives individuals more control over the use of their personal data. At a recent visit to an Independent School, this topic came up when the bursar mentioned that they perform wealth screening on prospective parents. Whilst this is a savvy business practice, under GDPR withholding personal information for the purposes of wealth screening can only be legally performed with the explicit consent of the individuals in question. Furthermore, the school must keep a record of exactly when consent was given and must make it clear to the individual the basis for which the school requires this information. The individual may also withdraw consent at any time, at which point withholding personal information becomes illegal.

In certain instances, passive consent is allowed. For example, when a pupil enrols at a school, it is implied that the individual gives consent for personal information to be stored by the school for the purpose of providing them with an education and pastoral care.

Once you have collected that data, the question of where that data is stored arises. Whilst many Independent Schools still store all their important data in servers on-site, cloud adoption is accelerating. Popular cloud services such as OneDrive or Dropbox are provided by U.S. based companies and are powered, for the most part, by U.S. based datacentres. U.S. data protection law is not as stringent as EU legislation and reliance on U.S. based storage could lead to compliance issues.
That doesn’t mean that storing data on-site is a preferred option. In almost all cases I have dealt with in my long career in the IT industry, on-site storage options are less secure than their cloud counterparts. The only exception is for organisations that make their cyber-security a top priority, throwing vast amounts of cash at servers, monitoring software and antivirus. A cloud storage option such as ShareFile is a strong offering if security is mission critical.

A final important consideration is that of Social Media and pupil internet usage. This links back to my earlier paragraph on consent. Because most school pupils are under 16, they can never legally give consent online. An Independent School, particularly one that has boarding pupils, acts as a legal guardian for those pupils while they are on school grounds. The school is therefore legally responsible for the information they share online, and the websites and social media accounts they sign up for while on school grounds. Having a stringent acceptable use policy in place for pupils’ internet use is a good first step, but educating the pupils on the dangers of posting personal information online would go a positive step further.

As the GDPR deadline looms, I cannot stress enough the importance of taking action now. In the business sector, GDPR is getting increasing air time and most parents will be aware of the regulation by now. To show that your Independent School is on top of the changes, I recommend a letter to inform parents that your staff are aware of the changes, and that your school is making the necessary steps to reach GDPR compliance by the May 2018 deadline. Proactively reassuring parents that the personal information of themselves and their children is safe will put minds at ease.

Towards the end of the last academic year, I received a number of requests for assistance with GDPR. To Independent Schools with a genuine need and interest, I met with bursars to discuss further. I am continuing to offer this service at the beginning of this academic year. If you would like advice on GDPR compliance, please do not hesitate to get in contact with me on 0330 002 0045 or email schools@entrustit.co.uk

No comments:

Post a Comment