What is GDPR?

General Data Protection Regulation, which took effect in May 2018, is a wide-ranging regulation designed to protect the privacy of individuals in the European Union and give them control over how their data is processed, including how it’s collected, stored, and used. It affects every company that processes personal data about people in the European Union.

What does GDPR mean?

While the General Data Protection Regulation may initially seem intimidating, many view it as a significant advancement in data protection. Here are some key areas that the General Data Protection Regulation addresses:

Personal Data: The General Data Protection Regulation applies to all personal data of individuals based in the United Kingdom, including customers, employees, suppliers, and any other individuals from whom data is collected. Personal data encompasses names, contact information, medical records, and educational data.

Collection of Personal Data: You can only collect personal data for a legitimate reason. For instance, a staff member will need to provide personal information so you can complete your regulatory requirements (Keeping Children Safe in Education). In all cases, you'll need to let them know the reason the personal data will be used, and you should only use it for that purpose.

Staff Contracts: Privacy or Policies (for websites, for example) must be simple, straightforward, and easy to understand, avoiding complex legal jargon.

Right to Know: Individuals can inquire about a school's information about them. While this right is not new, educational institutions must respond within 30 calendar days and cannot charge a fee, as they previously could.

Right to Erasure: Parents and pupils (aged 13 and over) can request that the school delete all personal data stored about them unless it needs to retain that data for legal reasons, such as legal requirements as per the Education Act.

Data Portability: Individuals can request a digital copy of their data, including transferring it to a new school. However, this also follows Department of Education guidelines of transferring the Common Transfer File via Collect, which ensures off-rolling a child.  Special Needs data that the school has collated should also be transferred securely.

Data Breach Reporting: Certain data breaches must be reported to the relevant supervisory authority, which in the United Kingdom is the Information Commissioner's Office.

UK Adaptation of General Data Protection Regulation: The United Kingdom government incorporated the General Data Protection Regulation into UK law, meaning that UK companies have the same obligations as those based in the European Union.

General Data Protection Regulation and Data Protection.

It’s crucial to grasp the essence of the General Data Protection Regulation. This legislation was established in response to the way personal data has been handled in the past. Many companies view personal data as a resource they could exploit without considering individuals' rights.

For instance, some companies sold customers' email addresses, allowed unauthorised access to sensitive data, and failed to protect data from hackers adequately.

General Data Protection Regulation aims to restore personal data control to the individuals who own it. It mandates that organisations incorporate data protection as a fundamental aspect of their operations and processes. While this impacts large, data-driven companies, it significantly affects education institutions. Below, we’ve outlined some steps to help you prepare your business for compliance.

Does GDPR affect data security?

Data security is a crucial aspect of the General Data Protection Regulation. If you process the personal data of individuals in the United Kingdom, you must keep that data safe, so it's crucial to store it.

The General Data Protection Regulation also regulates where companies can store personal data and what safeguards are necessary when processing that data outside the United Kingdom or European Union. For example, if you transfer personal data to a company based in the US that will store and process it there, you need to ensure that the company is certified under the Privacy Shield framework. This mechanism facilitates data transfers from the European Union to the US while protecting personal data.

Summary of GDPR for Education.

The General Data Protection Regulation encompasses many aspects. Still, at its core, it emphasises the importance of being transparent and ethical with the personal data you manage—treating it as if it were your valuable information. Here are some initial practical steps you can take to achieve General Data Protection Regulation compliance:

Check products and services.

• Check which of your products or services collect and process personal data.
• Ensure you have a legal basis for the processing of personal data.
• Ensure you can comply with the obligations to your customers as set out in the General Data Protection Regulation (such as the right of access and the right of erasure).

Review notices and contracts.

• Update your internal and external notices for General Data Protection Regulation compliance.
• Ensure your supplier’s contracts comply with General Data Protection Regulation.

Assign responsibility.

• Assign someone to your organisation to oversee data protection and privacy.
• Consider appointing a Data Protection Officer – this is where Tru-Digital Protection can assist you.
• Provide data protection training for staff at least every two years.

Take care of security.

• Ensure systems that collect, process and store personal data are secure.