The two-year grace period for organizations to align their systems and processes to General Data Protection Regulation (GDPR) requirements has almost come to an end.
This has left many organizations fighting to adjust their processes in the limited time remaining to comply with the regulations and avoid potential hefty fines. Some of the organizations found in this predicament include schools. Schools are not exempted from the new regulations provided that they handle EU citizens’ data. This new law affects them in a number of ways.
Daily school practices like maintaining students’ and staff’s information databases, monitoring events around the school using CCTV and keeping papers in filing cabinets represent data handling. Under the existing laws, schools have a responsibility to ensure that such data is safeguarded. But with the GDPR, more responsibilities are introduced to ensure that regardless of the form the in which the information is stored; it is handled in compliance with the requirements.
GDPR Data Protection Officer
One of the significant changes brought in with GDPR includes the appointment of a Data Protection Officer. This officer will be tasked with several responsibilities including being the first point of contact, monitoring compliance and informing the staff and the entire organization of their obligations. GDPR comes with specific rules on data handling. It is therefore essential for schools to appoint someone who understands the new requirements. The officer’s responsibilities will include reporting breach failures.
The school’s affiliation with third-party suppliers will have to be monitored. The school will be obligated, as the data controller, to ensure that its external suppliers who handle data operate in strict conformity with the GDPR requirements. This may include software providers or catering services. If the third parties store any data from a school, the administration will have to ensure that they remain GDPR compliant. A formal contract showing how third parties store and process data will have to be documented.
Subject Access Right (SAR) and Right to Erasure
Under GDPR, all data subjects have the right to access their data and request for their deletion (subject access right and right to erasure respectively) when they deem this appropriate. In this case, parents, staff, and former pupils may request to see their personal information held in the school’s database. They can also ask the school to delete their information forthwith.
GDPR changes some of the processes under existing regulations. The timescale to respond to a written request for a copy of personal data is reduced from 40 days to one month. This implies that schools will have to invest in information technology structures that would enable them to provide such information within short notice. This is because that, apart from timescale reduction, the new law also scraps the £10 fee which learning institutions currently charge for subject access right. This means that schools should be prepared for a possible increased number of requests going forward. Their success will depend on the efficiency of their new systems and processes that comply with the GDPR.
It is likely that schools will not require consent to process personal data. It is possible that they will largely rely on the five other lawful bases for processing most of the personal data under their custody so that they can run the schools. However, if none of the five other lawful bases apply to a particular data processing, they will be required to obtain consent. The consent according to the new requirements must be affirmative, clear, and informed.
GDPR is clear regarding transparency. It demands that privacy statements must reference the presence of the new and extended users such as SAR. In this case, schools will be required to be explicit with their stakeholders about the personal information they store. They could make use of privacy notices to communicate with and update them regarding the use of personal data. The issue is to show the stakeholders that their data is used fairly and transparently.
Schools need not panic at this time. They have several ways to satisfy the accountability requirements. They can conduct staff training, implement data audits and maintain records of data processing activities. In addition, the best practice to ensure compliance would be to incorporate the entire process into their daily operations and policies and allow it to form part of their culture.
A Data Protection Officer plays a critical role in ensuring that the school remains on the right track towards GDPR compliance.