The General Data Protection Regulation (GDPR) is due to come into force on 25th May 2018. It is a Europe-wide regulation that governs how organisations should save their data and sets out standards for its security and management.
Schools are also required to comply with the new rules. They have always been obliged to give parents and children access to their data, but now, under the new regulations, they have a responsibility to inform them of how their data is being used – and, if required, parents and children will be able to ask for certain parts of that data to be deleted.
The organisation GDPR in Schools (GDPRiS) and Groupcall have partnered up to produce a 12-step checklist for schools to ensure they have all the essential parts of the GDPR covered ahead of its implementation.
In summary, these are:
- Being aware thatthe compliance deadline for GDPR is 25th May 2018.
- Ensuring correct storage of personal data.
- Checking that any privacy notices have been amended in accordance with new GDPR rules.
- Checking school policies and procedures on individuals’ rights are up to date.
- Being able to deal with subject access requirements.
- Being aware of legal basis and when to comply with this.
- Reviewing consent processes and ensuring that they adhere to the GDPR.
- Knowing how to transfer from dealing with parental consent for young people up to 13 years of age to the pupil’s own consent from age 14 onwards.
- Ensuring procedures are in place should data breaches occur.
- Being knowledgeable about and being able to carry out privacy impact assessments.
- Making sure each school has a Data Protection Officer in place to help ensure GDPR compliance.
- Ensuring that, if an education organisation operates internationally, it is clear which data protection supervisory authority applies.