Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

How to remain compliant in a GDPR world

May 25 sees the General Data Protection Regulation become law in all European member states - and it carries manifold obligations, says Dawn Jotham

Posted by Julian Owen | May 22, 2018 | Law, finance, HR

For the past few months, the General Data Protection Regulation (GDPR) has been a much-discussed subject. You will not have failed to notice that, on Friday, the GDPR becomes law in all European member states, including the United Kingdom, completely replacing the Data Protection Act 1998 (DPA).

Whilst many organisations and educational settings have taken time to prepare for the implementation date, it doesn’t end there. The GDPR, like the DPA before it, will continue to be an important part of all planning and induction training.

Here are six rules to follow to ensure you remain compliant:

1. Notification of a breach

Under the GDPR, data controllers are under an obligation to maintain a breach register where all breaches, no matter how trivial, are recorded and monitored.

For serious data breaches, likely to result in a ‘risk to the rights and freedoms of individuals’, the breach must be reported to the ICO within 72 hours of your becoming aware of it.

Where there is a high ‘risk to the rights and freedoms of individuals’ as a result of the breach, the data subject must also be notified without undue delay.

2. Conduct Data Protection Impact Assessment (DPIA), also referred to as a Privacy Impact Assessment (PIA)

If any data system is being introduced that involves using personal information in a way it has not been used before, or new data is being collected for a new purpose, then a DPIA must be conducted.

DPIAs can help to identify and reduce the risk of harm when using personal data. The DPIA poses a series of questions designed to ensure that organisations are thinking carefully about the implications of a new system before it is implemented – this is called ‘privacy by design’.

Note: A guidance checklist and a template for conducting a DPIA are freely downloadable here.

"Whilst many organisations and educational settings have taken time to prepare for the implementation date, it doesn’t end there." 

3. Identify and support a Data Protection Officer (DPO)

The GDPR introduces a new role of Data Protection Officer which all public authorities and bodies - including all educational establishments - should have in place by now.

Following May 25, the Data Protection Officer should:

 - monitor compliance with the GDPR and other data protection laws, data protection policies, awareness-raising, training and audits

 - maintain a breach register; liaising with the ICO regarding serious data breaches

 - monitor Data Protection Impact Assessment (where needed)

The Data Protection Officer must have authority and be empowered to carry out their role and report to the highest management level in your organisation. The person appointed cannot be disciplined for carrying out their role, or disregarded or dismissed because the people at the top don’t want to do it.

To ensure your organisation remains compliant, Data Protection should be on the agenda at all high level monthly organisational meetings.

4. Formalise relationships with data processing suppliers

Under the GDPR 2018, it is illegal not to have a formal contract or service level agreement with your chosen data processor. Any new data processors or IT recycling suppliers that you work with must have minimum competencies and accreditations; using one who does not meet the minimum competencies will become a criminal offence.

5. Understand the right to erasure

Outside of schools, data subjects can demand that personal data held about them is erased. However, in a school setting, student records have to be retained under statutory provision in The Education (Pupil Information) (England) Regulations 2005:

 - For primary schools this is whilst the student is at the school, after which it should follow them when they leave

 - For secondary schools, this is until the date of birth of the student is +25 years

A full retention schedule for schools is freely downloadable from the Information and Records Management Service (IRMS), detailing all areas of document retention for a school. You should also speak to your local authority for further advice.

6. Implement robust induction training

As with evidencing compliance with the DPA, all new starters should receive GDPR training on induction using courses, such as EduCare’s online training courses ‘An Introduction to the GDPR’ or ‘A Practical Guide to the GDPR for Education’.

Dawn Jotham is Product Development Lead for Education at EduCare.

Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Related stories

After GDPR - what comes next?

The new world of GDPR

Navigating the brave new world of GDPR

Market place - view all

Jamf software

Solutions for education. Power the digital classroom with Apple an...


Interface is a global leader in the design and manufacture of susta...


Sherston Software is a leading producer and publisher of software f...