Author: Al Kingsley, Chair of Hampton Academies Trust and MD of NetSupport Limited.
GDPR arrived in May of this year so we have had a good few months to ensure our central record is being maintained, staff trained and reporting is effective. If you are late to the party here is a copy of my guide from earlier this year on what you need to do.
To a large extent, schools have been left to decide what is relevant to them and what is not – plus, there has only been limited official and local authority guidance. Why is this when it is such a big issue? Well, mainly because the legislation is generic – it would be impossible to document GDPR in detail to take account of the unique circumstances of every single organisation – and it’s therefore open to interpretation.
What’s the best way forward?
GDPR is complicated, but it needn’t be scary. Preparation is crucial. If your school hasn’t yet started to action steps to becoming GDPR compliant, don’t panic – but do take action now. If you want to be a school able to take this on board and handle it into the future, now is the time to get your ducks in a row.
You’ve probably seen the recommended 12 steps to GDPR, so here are some further ideas to help you tackle this issue in your school…
1. Dedicate time to prepare for GDPR. It’s definitely not something that you can put aside a spare five minutes for here and there.
2. Draw up your own checklists applicable to your school based on each of the 12 steps. Work through them methodically, allocating responsibilities as appropriate.
3. Create a reference log of all the new policies and procedures you’re putting in place, so that all staff have a consistent set of rules to refer to.
4. Ensure you have the right tools to discover and find out where your critical data is located.
5. Make it a priority to sort out who will be your data protection officer. Even if it’s not a going to be a permanent solution, you will most definitely need someone to cover the role as soon as the regulations come into force. Get your governors and SLT on board. GDPR is the responsibility of the organisation as a whole, so everyone needs to be pulling together to make it happen for your school. In a multi-academy trust, perhaps a suitably experienced trustee could take on the role.
6. Consider creating a rotating bank of go-to GDPR staff champions who can answer others’ questions. Make this a shared responsibility; don’t let the burden fall on just one person, as there will be many, many questions until new systems bed in.
7. Find all files that contain personal data – right now. These can be either paper or online files. Make sure you know exactly what you have and exactly where it is. This will make it easier for you to formulate your policies for data storage and what to do if someone requests their data from you at a later date. Also, document all software products that your school is using and be satisfied that they’re GDPR compliant; know what data they store locally and remotely – and why. Software inventory is particularly useful as it will highlight any non-standard apps that individual teachers may be using.
8. Project plan: If you need technical help (with, for example, setting up systems to manage and record consent or identify a data breach), call a meeting, set a clear, documented project plan and get the process underway now. Alternatively, look at online solutions that can help step you through the process.
9. Procedure plan: Where new procedures will be required under GDPR, plan these in detail and implement new strategies for dealing with them as soon as you can. Use “what if” scenarios to help you plan. For example: What if a USB stick gets left in a PC overnight? How would you report/provide evidence of whether it was accessed? And how would you record that breach? Or, what if a parent contacts us asking to provide all data we hold about their child? How would you find it? How would you ensure none was missed? How would you collate it? Whose responsibility would it be to find and provide it? How would you achieve this in the set timescale? And so on.
10. Keep a comprehensive evidence data trail of everything that you do so that you can provide records of your compliance activity.
11. Get advice – if there are requirements that you’re unsure of how to deal with: ask for help. Ask other schools how they’re handling it, research it online or post a question on social media. Everyone is in the same boat in trying to find their way through this, so it’s likely others will be more than willing to share and discuss potential solutions.
12. Know where to go to for official information in case queries arise. The authority on GDPR in the UK is the Information Commissioner’s Office.
13. Hold staff GDPR briefings and outline their roles in adhering to the rules, then follow up with training for those with a more prominent part to play.
14. Above all, be organised, be methodical: be prepared!
The countdown is on…
As GDPR requirements will be ongoing, it makes sense for schools to learn to be largely self-sufficient, so speaking to organisations that provide tools to allow them to do this will mean the process can be much more sustainable for the future. It’s better for schools to get to grips with this now, rather than leave it until near the deadline and end up paying a consultant for something they could easily have done themselves.
The important thing to remember is that there’s still time. If, despite all of your best efforts, your processes aren’t quite in place by then, it’s highly unlikely that you’ll be fined on day one.
In summary, this is what schools need to do: gather the facts about your data and know where it is stored; discover how and why the data is used; protect it; record and report and keep all evidence if it goes astray. Yes, it will take some dedicated effort to do that, but it’s nothing that schools can’t handle.