GDPR: Helping you to be prepared
Welcome to our guest blogger Paul Norris, Principal Consultant at Infinity Consultancy Ltd. Paul leads on developing governance models to ensure compliance in relation to ICT and data protection. He is ideally placed to share his knowledge and practical experience to help you make sense of new regulations on data protection. Follow his guide, so you can be well prepared for the change in legislation in 2018.
What is GDPR?
The General Data Protection Regulation comes into law on 25th May 2018, replacing the existing Data Protection Act. GDPR extends the rights of individuals and the definition of personal data. It also brings in new governance requirements and penalties. Non-compliance with the Regulation can attract fines of up to 2% of your annual income (capped at €10M) and data breaches up to 4% (capped at €20M).
How will it affect schools?
The new Regulation now applies to both data controllers and processors and requires schools to keep records of their processing activities for both electronic data and manual organised filing systems. Schools need to record what personal or personally sensitive data they hold, who is responsible for that data, how it is stored and managed, how long it is kept for and how and when it is securely deleted.
If the processing is considered ‘large scale’ or ‘risky’, terms yet to be fully defined, then a risk assessment needs to be completed, called a Data Privacy Impact Assessment and the results and mitigations recorded. Individual schools may escape this classification but multi academy trusts (MATs), as the data controller for all of their schools, will fall into the large-scale processing around their MIS systems.
There are new rules around consent. Schools must keep records to show that consent was given as an affirmative action, stating how and when it was given. Consent can also be withdrawn by the data subjects at any time, except where there is a legal requirement to carry out the processing of personal data such as keeping pupil or staff records. Privacy notices will need to state clearly why the data is required and how it is stored and processed.
When the new regulation becomes law there will also be a requirement to report data breaches within 72 hours and to have a plan as to how to manage and contain the breach. Key to this is how those affected by the breach are informed and supported to manage the effects that the breach may have on their rights and freedoms. Having good plans in place can help mitigate potential fines.
What will happen if we don’t pay attention to it?
There is no escaping the fact that the rules for holding and managing personal data require a higher level of governance and control than currently required. Failure to do anything will leave the school at risk from an investigation or audit from the regulator, the Information Commissioners Office (ICO), and the possibility of significant new fines. An important change in the law is the requirement to be compliant with the Regulation or risk fines. Currently fines are only levied if you have an actual breach.
What do we need to do to prepare for GDPR?
The new Regulation extends the need for greater accountability and governance when handling personal and personally sensitive data. Appointing someone to act as the Data Protection Officer is the first step, and to start raising awareness at your school or Trust to the need to manage data more securely.
You should conduct an audit of what is held, who owns or is responsible for it, how it is processed and any risks associated with the processing. The IT department needs to be involved, because it is not just organisational measures that need to be in place to protect data, but also the technological means as well. Running old server operating systems that are no longer supported or patched will be considered a non-compliance issue and will need to be upgraded.
Schools need to look at their whole use of IT and its security, which adds a whole new level of complexity to the management of IT systems. Many schools do not have the IT skills to achieve this and should consider getting outside help.
Are there any ways to do it relatively cheaply?
GDPR will create a lot more work for already hard pressed administration and IT teams and the amount of work required should not be underestimated. The cost will very much depend on how well a school manages its data currently, the current state of its IT systems and how aware staff are through training and awareness programmes about how to manage personal data securely.
There is no magic wand to this; implementing data protection by design and default will take a lot of work. The sooner the project starts the better, as there is only a year before the Regulation becomes law. This is a very tight timescale, considering what needs to be in place. It is vitally important that this has the highest level of support and drive to deliver the project, with engagement from the Board of Governors and the Senior Leadership Team.
How cheaply you can do this needs to be tempered against the possibility of the new fines and the disruption and reputational risk of non-compliance or breaches becoming public; the ICO publishes infringements of the Regulations. It does present an interesting dilemma though. There is no additional money from the DfE to cover this work and the cost, for example of upgrading IT systems or additional staff, may be prohibitive for some schools. This could leave them open to fines, for the simple reason they could not afford to become compliant with GDPR. There is no forum discussing this at a government level and school budgets are already under massive pressure just trying to maintain Teaching and Learning to a satisfactory level.
Though this is a subject for a different blog, schools should consider some of the cloud service and storage options now being offered by the major players such as Microsoft and Google. These companies have cloud solutions that have special pricing or are offered free to schools that can support your efforts. Google’s Vault storage, for example, is given free to schools and offers encrypted storage which goes a long way to securing your data. The ICO will not fine you if encrypted data is stolen, as it is of no use to the criminal community.
Whilst GDPR adds to the workload, moving data to the cloud in a planned and considered way can bring considerable benefits such as reducing in-house storage costs, providing more flexible access to data and improved data security. It is far safer to access data in the cloud rather than carrying it around on laptops which can go missing, for example.
Are there any tools or templates to help me plan and how can we find out more?
The ICO has a specific area on its site (https://ico.org.uk/for-organisations/data-protection-reform/) with more information. They have published a 12-step guide on steps to take now, at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.
The most important piece of advice is ‘Ignore This At Your Peril’. Data Subjects are becoming more informed about their rights and they expect their data to be kept secure when they hand it over to someone else. Schools hold huge quantities of personal and personally sensitive data for both staff and pupils and they have a right to know this is kept safe.
Every week brings new revelations of data breaches in the press. Don’t let it be your school or Trust.