Do the new general data protection regulations apply to schools?
A hot topic at the moment doing the rounds is GDPR. The time is ticking with the new regulations coming into force on the 25th May 2018. Less than 3 months away! However, although the penalties for any organisation falling short are severe with penalties that could reach 4% budget or £20m, here at Nustream we regularly talk to schools who have made little or even no headway in preparations. And you’re not alone. A recent UK government survey identified that less than half of GDPR-aware companies are aware of it.
What does “GDPR” stand for?
GDPR stands for General Data Protection Regulations.
Does GDPR apply to schools?
Yes. GDPR applies to schools as Data Controllers. Article 4 section 7 of the GDPR defines the Data Controller (the organisation or individual to whom the regulations apply) as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The ICO has published specific GDPR guidance to the UK education sector which in it clearly states that Schools are acting as Data Controllers under the Data Protection Act (DPA) and will be doing so under the GDPR.
Where to start?
If you’re reading our blog then you’ve heard of GDPR. If your school’s current methodologies are DPA 1998 compliant than you are half way there. A gap analysis exercise can help you understand where your existing policies fall short of the new regulations. It can help outline what data you have, the purpose for collecting the data that you have got, and what legal basis you are collecting that information for.
GDPR does apply to schools with the ultimate legal responsibility falling on to the governing body or academy proprietor. With three months to go it is time to undertake a gap analysis.
Register for a FREE webinar on “GDPR Compliance for Printing Scanning and Copying for Schools and Colleges” on the 3rd May at 2pm.