Ian Richardson
Built hundreds of website and helped countless schools realise their potential online. Ian should be called upon for straight-talking advice and to make a difference to the way you present your school through every outlet.
HomeSchool Website BlogSchool Website RequirementsGDPR – Top 4 Things Schools Are Confused About
18 months after the GDPR and DPA 2018 became law, many schools still haven’t fuelled up for their data protection compliance journey and many have not even left the driveway! Whilst I recognise educating children is the prime objective of schools, the safety and well-being of every person in the organisation is essential to achieve that goal. Protecting and securing personal data is part of that.
I developed our GDPRiS software to streamline schools’ compliance journeys and to offer guidelines to ensure they can meet the legal requirements. Schools ask our Customer Success Team loads of questions and there’s a common thread across most of them showing that schools are still confused.
Here are our answers to the top 4 things schools regularly ask:
The data controller is 100% responsible to ensure all data is processed appropriately and kept safe. The organisation, ie a school or MAT, is the data controller. Thus, its governing body carries full responsibility that data protection meets legal requirements and data is kept at the highest standard of security.
The Data Protection law imposes three basic duties upon data controllers:
It’s a responsibility that cannot be taken from you.
This is such a common question and the answer is all about risk.
A leading barrister once told me that if any school wants to be 100% risk-free we should tell them to send all the children and staff home and raise the buildings to the ground. No activity can be risk-free. However, you must consider the risks and act accordingly to reduce them.
What is the risk to a child if someone else’s parent sees their books? Maybe the child could be teased and that’s not right! Thus, find some way to reduce that risk without stopping a very valuable educational activity.
It’s not rocket science, just common sense.
Your DPO must be independent to oversee your data protection processes. For important assessments and tests, you don’t allow children to mark their own work. Likewise, the Head, Deputy, Business Manager or Head of IT will make decisions about data protection at school and this must be open to independent scrutiny.
There is no organisation that has no data breaches. However, we have a culture of hiding our short-comings and pretend they didn’t happen. Reporting every breach will have a very positive impact on data protection in your school. If you know what you did wrong, you can fix it and become better. Even the near misses hold important lessons that can be learnt.
So, what counts as a data breach? Here are just a few examples:
I have no doubts that the new data protection laws have forced many organisations to review their policies and procedures and give individuals greater reassurance that their data is safe. Schools are custodians of large quantities of sometimes very sensitive data and we owe it to our students and staff who work at our schools to keep it safe.
Lynne Taylor is Founder and CEO of GDPR in Schools (GDPRiS) and founder of ParentPay. Lynne is passionate about helping schools focus on educating the children in their care. When she realised the increased workload and indeed financial impact that managing the changes to data protection were going to have in schools, she gathered her team of dedicated educationalists to develop a low-cost cloud-based solution for schools. More than 2,500 schools currently rely on GDPRiS to monitor and manage data protection.
Simply add your email and you'll get expert advice weekly, direct to your inbox.
Built hundreds of website and helped countless schools realise their potential online. Ian should be called upon for straight-talking advice and to make a difference to the way you present your school through every outlet.