GDPR

The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which determines how people’s personal data (information that can identify a living individual) is processed and kept safe, and the legal rights individuals have in relation to their own data.   GDPR replaces the Data Protection Act 1998,  and came into effect on 25 May 2018.
 
What does GDPR mean for schools?

A great deal of the processing of personal data undertaken by schools will fall under a specific legal basis, ‘in the public interest’. As it is in the public interest to operate schools successfully, it will mean that specific consent will not be needed in the majority of cases in schools.

GDPR will ensure data is protected and will give individuals more control over their data, however this means schools will have greater accountability for the data

  • Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law
  • Privacy notices must be in clear and plain language and include some extra information – the school's ‘legal basis’ for processing, the individual’s rights in relation to their own data
  • Schools will only have a month to comply with subject access requests
  • Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
  • The Information Commissioner’s Office must be notified within 72 hours of a data breach
  • Organisations will have to demonstrate how they comply with the new law
  • Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils