Education
You may think that GDPR doesn’t apply to education because data breaches and hacking in schools is considered less common. This isn't true. Schools tend to have filing cupboards full of sensitive student and staff data, exam records and CCTV footage plus much more personal data. Today, schools are packed with data stored in many different ways and it all needs protecting.
What you need to know
Schools and academies need to be aware of GDPR and what they need to do to make sure they’re compliant. On 25th May 2018 legislation on how you process, store, use and dispose of your data is changed drastically. The Data Protection Act changed to the General Data Protection Regulation and you and your learning environment MUST comply. It's your responsibility to ensure that data is kept and managed in compliance with this new regulation, or you could face serious consequences. GDPR increases the responsibility schools have to inform parents and learners about how their data is being used and by whom.
GDPR became a chargeable law May 25th 2018
There will be fines of up to €20 million or 4% of revenue1
If you don't comply, your Ofsted rating could be affected
You will need to appoint a Data Protection Officer
Why you need to comply
Failure to comply could lead to fines of up to 20 million euros or 4% of your global revenue2. More importantly, as well as fines, your Ofsted ratings could be seriously affected. Ofsted will now ensure that the right policies and procedures are in place to make your learning environment GDPR compliant as part of their inspection.
The GDPR will still apply after Brexit
You have 72 hours to report a data breach to the ICO
You must be able to prove compliance
The GDPR replaces the Data Protection Act
What you need to do next
Appoint a Data Protection Officer 
You’ll need to appoint a Data Protection Officer who’ll be responsible for monitoring and enforcing GDPR policies and procedures. You can hire internally and combine the duties of a Data Protection Officer with another role. However, the person appointed must be completely impartial so those who work in IT, HR or Finance, as they have access to a lot of data, may not be the best choice.
Research what GDPR means for you
There’s lots of resource online that can keep you up to date with GDPR. The ICO has a variety of information regarding the GDPR and how it’ll affect the education sector.
Check your data and how you store it
In order to be in control of your data, you must know:
- What data you hold
- How long you’ve held it for
- And how it’s stored
The data you hold should be secured and encrypted to make sure it doesn’t end up in the wrong hands. You may also find that you’re storing data you don’t need or that has expired (passed the date of how long you should keep it). In this case, you must find a way to dispose of it securely and we can help you with this.
More infoChoose the right technology
We can work with you to ensure that your network, the devices you’re using and your security infrastructure is as secure as it can be. We have a range of recommended secure devices that will make sure you have the best defences when it comes to hackers.
More infoUpdate your privacy notices
Under the GDPR you must be transparent with your students and those that you hold data of. You must make it clear what data you hold, how it is held and what it is being used for. You can do this really easily with a privacy notice. If you have them already, they may just need updating. There are some good and bad examples of privacy notices on the ICO website.
More infoEncrypt your data
Again, there are several ways you can encrypt your data. We can recommend the best ways to do so and this way you’re adding another defensive layer to your system.
More infoPlan for continuous compliance
You need to make sure that your school and staff are being compliant in everything they do, from handling data to using it or disposing of it. You need to make a robust plan of how you’re going to maintain compliance and not forget about new procedures.
Know the rights:
Under GDPR, the personal data you hold or process about a living person gives them the following rights:
- The right to be informed –you must tell them what data is used, why and for what purpose
- The right of access – parents, staff and students are allowed to see what data of theirs is processed
- The right of rectification – if their data is wrong, you must correct it
- The right to erasure – they can demand that you delete all their data
- The right to data portability – they can decide to move their data to another processor, which you then must supply the data to securely
- The right to object – they can object to your use of their data and you must stop using it
- Rights in relation to automated decision-making or profiling – they can demand that automated decisions about them are reviewed by a human
Products we recommend to help with GDPR
Get the conversation started
Contact our Education IT Specialists for free, no obligation advice:
0870 429 3020
btbd.publicsector@bt.com
Or complete the form below and we'll call you back
Thank you, your form has been submitted successfully
Sorry, there is an issue with your form submission
Please see the below errors
Sorry, this form has failed to submit
View things you need to know
- Whichever amount is highest
- Source: https://gdpr.report/news/2017/06/16/gdpr-guidelines-consequences-non-compliance/
- Source: IDC, 2015.
