GDPR Training for Schools

Certified training, endorsed by Clayden Law

Schools – like everyone else – have to make sure they are compliant with the new General Data Protection Regulation (GDPR). The GDPR increases every individual’s rights over their personal data, while at the same time increasing the burden of responsibility on schools, as controllers and processors of personal data.

The GDPR aims to address vulnerabilities in our increasingly online world. Break the rules and you could jeopardise your school’s budget and reputation. In a worst-case scenario of a serious data breach, schools could be liable to a maximum fine of £17 million or 4% of their annual turnover, whichever is greater.

The general consensus is that these drastic measures are unlikely to be taken against schools, as the ICO seeks to be more of an educational body rather than a draconian enforcer, but the reputational damage and procedural  burden of a mistake will be as painful as any financial cost.

Schools handle a large amount of personal data. This includes information on pupils, staff, governors, volunteers and job applicants. And if you thought that was sensitive; well, they also handle data like grades, medical information and images of children. Furthermore, schools often handle what the GDPR refers to as ‘special category’ data, which is subject to even tighter controls. This relates to areas such as ethnic origin, biometric data or trade union membership.

The previous Data Protection Act (DPA) offered no specific provisions for the protection of data in relation to a child. The GDPR seeks specifically to protect the child as a person – particularly against the risks associated with Internet use and online profiles.

Schools are expected to have somebody within the senior team whose responsibility encompasses GDPR and data protection in general. That said, achieving GDPR compliance requires demonstrable buy-in from all staff, leaders, teachers and support staff.

This involves focused training so people are clear about their day-to-day responsibilities, including cyber security, handling general data protection risks and what they should do in the event of a data breach.

Schools that carry out large-scale tracking of individuals or large-scale processing of special category data must appoint a Data Protection Officer (DPO). It is possible to share a DPO amongst schools, if appropriate.

School leaders are responsible for communicating the changes in data protection regulations to staff, parents and pupils in a clear, accessible way. The simplest way to do this is through a privacy notice – sometimes called a privacy policy.

The Government has published suggested privacy notices templates that schools can issue to their workforce, parents and pupils. It has tailored the wording to suit each audience, but schools can review and amend them to reflect their local needs and circumstances – particularly as these templates refer only to data collections. Schools can share these privacy notices on their websites, induction packs and staff contracts.

Under the new GDPR, it isn’t enough for schools to be GDPR compliant. Schools will also have to prove compliance. This involves auditing and mapping data, and retaining records of processing across all school systems. They need to understand what data is processed, who processes it, the allocated lawful reason for processing it – mapping its entire lifecycle.

They’ll also need to address their technology and systems. Do they allow for efficient reporting? Are they robust enough to keep personal data secure? Is it backed up and accessible in case of a data breach? Are the school’s business continuity and disaster recovery plans up to date?

Introducing new systems

If teachers want to introduce a new piece of subject-specific software or processing system, the school needs to be able to demonstrate a clear process in place for GDPR compliance. This involves informing your DPO and completing a Data Protection Impact Assessment (DPIA).

Subject Access Requests (SARs)

Under the GDPR, schools will have to respond more quickly to Subject Access Requests – within 28 days – and the current £10 charge is waived. These two factors, plus people’s increasing awareness of their data privacy rights, are likely to lead to an increase in SARs, so schools must prepare for this, too.

Reporting a data breach

From 25 May 2018, schools are required to report a data breach to the ICO if personal data is likely to be – or have been – compromised. If a serious data breach occurs, they will also have to inform the individuals whose data is at risk.

Me Learning offers free GDPR Board training, as well as a family of discounted, flexible online courses for key stakeholders and staff. We’ve been working with schools for more than a decade, so we know how to help lighten the growing burden carried by teachers, governors and ancillary staff.

To find out more about how you can ensure GDPR compliance click here.

Do you have a question?

Whether it’s a technical question or a sales enquiry, our helpdesk
and sales teams will be happy to help.

About Me Learning

For over 10 years we have been providing engaging, informative and clearly explained e-learning materials in a flexible format for our learners.

We've won awards, we've won hundreds of organisations as clients, and we've been used by hundreds of thousands of satisfied learners.

Me Learning Ltd, Registered in England and Wales: Company Number: 5842638
Registered office: Basepoint Business Centre, Little High Street, Shoreham-by-Sea, West Sussex. BN43 5EG