Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Navigating the brave new world of GDPR

Getting processes up to speed will enable academies to benefit, says Chris Harris, Partner at MHA MacIntyre Hudson

Posted by Julian Owen | April 25, 2018 | Law, finance, HR

Many of us are delighted when supermarkets send us personal offers, when Google knows we are thinking about a holiday destination or Spotify creates a play list based on the music we listen to. However, people are becoming familiar with the darker side of data use, especially with scandals such as Facebook selling data to Cambridge Analytica catching their attention.

At the same time all organisations, including academies, have to deal with the potential burden of complying with the General Data Protection Regulation (GDPR) that comes into force on 25 May 2018. Some may see this as additional pressure alongside safeguarding, health and safety, and other legal responsibilities. However, it’s possible to make a virtue out of this new regulation, improving communication with students and parents, and reducing the likelihood of disputes. Better data protection policy, embedded in effective IT security practice, can make internal activities more efficient and secure.

Academies should be familiar with existing data protection law requirements, especially in relation to sensitive data held concerning children. The key difference with GDPR is the principles are much more explicit and the rights of the individual are strengthened. With heightened public awareness, academies will need to be ready for more questions from staff and parents, and there are three steps they can take to ensure they have the right processes in place:

Implement a data protection management structure

This needs to be built for ongoing monitoring and management, just like a health and safety regime. It starts with awareness and needs to be appropriate depending on the nature of the role the person has; governor, teacher or secretary. There is plenty of free guidance available on this, although it might be worthwhile getting an external advisor to lead initially.

"By making internal data processes more efficient and secure, academies can confidently communicate with those concerned about the use of their personal information in the new data driven world."

Create a data map

This will identify what personal data is held, where it is and in what format, who is responsible for it, how long it should be kept, the reason (legal basis) for holding it, the scale of risk if it were lost, and the controls in place to prevent loss. The data map should also identify any data transfers and exchanges with third parties. This can be time-consuming but it is a useful process to encourage people to consider the personal data they use, and once it is in place it is a key part of data protection management.

Understand the legal basis which supports holding personal data

The majority of data subjects will be staff or students/parents and the legal basis used is contractual. Personal data from students and parents is required for education purposes, and data from staff relates to the duties of the employer. Data should only support those purposes. The key is to make sure data subjects are informed that information is held on them and the reasons for doing so explained. Clear communication via privacy notices will ensure there are no surprises. If the academy has personal details of applicants to the school this is not contractual, but instead is in the legitimate interest of the data subject. Consent should be used when there is something that is not part of normal expectations, for example a school trip.

The new emphasis on individual rights is likely to lead to more subject access requests; academies must have procedures ready to respond within the one month deadline. They also need to monitor and report data breaches within 72 hours of discovery; keeping records of breaches will inform the risk management process and improve the use of resources.

These steps will help academies manage their personal data responsibilities. By making internal data processes more efficient and secure, they can confidently communicate with those concerned about the use of their personal information in the new data driven world.

Ffi: MHA MacIntyre Hudson


Subscribe to our free fortnightly newsletter and stay ahead with the latest news in edtech

Related stories

After GDPR - what comes next?

The new world of GDPR

How to remain compliant in a GDPR world

Market place - view all


Leading IT infrastructure provider of software licensing, hardware...

Text Help

Texthelp Ltd, was first incorporated in 1996 and quickly became th...

Document Solutions

With our experience we help organisations to optimise their entire ...