It’s that time of year again, the summer break is over and
it is back into the routine for another academic year. Any bursar will tell you
that September is an extremely busy time of the year with a seemingly endless
list of things requiring attention. In the hubbub of the new academic year, it
is easy for tasks to be put on hold, which is why I am taking an opportunity in
this edition of ‘educateIT’ to gently
remind headteachers and bursars of a deadline that is now two months closer –
the GDPR regulation.
I’ve spoken so much with bursars about GDPR recently that I
am starting to feel like a broken record, but the reality is that it is so
important that it will be on the agenda right through until the 25th
May 2018 deadline and beyond.
After a well-deserved 2-month break, you may be racking your
brains to remember exactly what GDPR entails. The General Data Protection
Regulation (GDPR) is a piece of EU legislation designed to provide a common
data protection policy amongst EU member states. When it comes into effect next
May, it will supersede all existing data protection regulations (in the case of
the UK, that is the Data Protection Act 1998). Because current data protection
legislation differs across member states and was introduced before the cloud
and social media, it was clear that modern legislation was required.
No doubt that if you have heard about GDPR, you will have
heard the scare stories about fines of up to €20 million for non-compliance.
As an independent school, it is unlikely that you could ever face such an
astronomical fine for non-compliance, these fines are reserved for the worst
offenders. However, it is a safe assumption that under GDPR fines for
non-compliance will move up the value chain. For more on GDPR, read my blog from March 2017 entitled “GDPR – What’s
it all about and how does it affect Independent Schools?”
During my visits to Independent Schools at the tail end of
last term, I was frequently asked when would be a good time to start tackling
the issue of GDPR compliance. At that time, I urged schools to begin work as
soon as possible – since compliance is not something that can be attained
overnight. In the new academic year, with the deadline less than 9 months away,
my message is that if your Independent School hasn’t begun the process of GDPR
compliance, it should be as near to the top of your agenda as possible.
With that in mind, what are some key considerations an
Independent School should make as it progresses towards GDPR compliance?
Firstly, it is a good idea to get acquainted with the
Information Commissioners Office. This is the Data Protection Regulator in the
UK. Under GDPR, an organisation that experiences a data breach of any kind is
obligated to inform the ICO of the breach, exactly what was exposed and what
measures are being taken to mitigate damage, within 72 hours of discovery.
Failure to do so is an offence and will result in a fine. Furthermore, GDPR
requires certain businesses to appoint a dedicated ‘Data Protection Officer’
who is an expert on GDPR. The details are a little cloudy on this at present,
but it is quite possible that schools will fall into this category.
The next consideration involves processing of personal data
and consent. GDPR gives individuals more control over the use of their personal
data. At a recent visit to an Independent School, this topic came up when the
bursar mentioned that they perform wealth screening on prospective parents.
Whilst this is a savvy business practice, under GDPR withholding personal
information for the purposes of wealth screening can only be legally performed
with the explicit consent of the individuals in question. Furthermore, the
school must keep a record of exactly when consent was given and must make it
clear to the individual the basis for which the school requires this
information. The individual may also withdraw consent at any time, at which point withholding personal information
becomes illegal.
In certain instances, passive consent is allowed. For
example, when a pupil enrols at a school, it is implied that the individual
gives consent for personal information to be stored by the school for the
purpose of providing them with an education and pastoral care.
Once you have collected that data, the question of where
that data is stored arises. Whilst many Independent Schools still store all
their important data in servers on-site, cloud adoption is accelerating.
Popular cloud services such as OneDrive or Dropbox are provided by U.S. based
companies and are powered, for the most part, by U.S. based datacentres. U.S.
data protection law is not as stringent as EU legislation and reliance on U.S.
based storage could lead to compliance issues.
That doesn’t mean that storing data on-site is a preferred
option. In almost all cases I have dealt with in my long career in the IT
industry, on-site storage options are less secure than their cloud
counterparts. The only exception is for organisations that make their
cyber-security a top priority, throwing vast amounts of cash at servers,
monitoring software and antivirus. A cloud storage option such as ShareFile is
a strong offering if security is mission critical.
A final important consideration is that of Social Media and
pupil internet usage. This links back to my earlier paragraph on consent.
Because most school pupils are under 16, they can never legally give consent
online. An Independent School, particularly one that has boarding pupils, acts
as a legal guardian for those pupils while they are on school grounds. The
school is therefore legally responsible for the information they share online,
and the websites and social media accounts they sign up for while on school
grounds. Having a stringent acceptable use policy in place for pupils’ internet
use is a good first step, but educating the pupils on the dangers of posting
personal information online would go a positive step further.
As the GDPR deadline looms, I cannot stress enough the
importance of taking action now. In
the business sector, GDPR is getting increasing air time and most parents will
be aware of the regulation by now. To show that your Independent School is on
top of the changes, I recommend a letter to inform parents that your staff are
aware of the changes, and that your school is making the necessary steps to
reach GDPR compliance by the May 2018 deadline. Proactively reassuring parents
that the personal information of themselves and their children is safe will put
minds at ease.
Towards the end of the last academic year, I received a
number of requests for assistance with GDPR. To Independent Schools with a
genuine need and interest, I met with bursars to discuss further. I am
continuing to offer this service at the beginning of this academic year. If you
would like advice on GDPR compliance, please do not hesitate to get in contact
with me on 0330 002 0045 or email schools@entrustit.co.uk
