Problem solver and innovator. Ben oversees new website projects and is always looking for new features to improve the Schudio School Website CMS.
Are you well on the way to GDPR compliance, or waiting for further guidance on how best to proceed? Have you factored your school website into the scope of your General Data Protection Regulation (GDPR) compliance plan? More generally, are you compliant with the requirements around GDPR for schools?
We are hard at work on our own GDPR compliance - both as a data controller, and a data processor. But why does that matter to you?
The main focus of the GDPR is to improve the rights of data subjects and protect their privacy. The GDPR is designed to improve and enhance the existing Data Protection Act (DPA). And to bring parity across the different EU countries. (Current data protection implementation is very different across EU member states. Despite the origin from a single EU data protection directive.)
Compared to the DPA the GDPR shifts the onus to demonstrate compliance to data controllers. Under the DPA the burden was placed on the data subject to demonstrate a lack of compliance. Demonstrating compliance will involve lots of documentation, including a good understanding of all the personal data held by your organisation. There's also a requirement for controllers to only use processors who meet the requirements of the GDPR. However it's worth noting that the GDPR is not prescriptive in it's regulation. It's very much down to each organisation to make reasonable and appropriate decisions and evidence the basis for the data protection decisions they take.
What personal data does your school website process? It might not be very much data, maybe just contact details of visitors who complete your contact form. Websites include a variety of different forms; bookings, contact, job vacancy applications or student admissions to name a few. Your data mapping should include all these different data processing activities.
As a result your school website provider is very likely to be acting as a data processor for your school. (Depending on the ongoing service and support you receive, your processor might not be the company who designed your website. For example if they just provide you with a website design, and you have to look after website hosting. Then the role of data processor will probably pass onto your hosting company. Investigate this if you are unsure.)
Consider all of the personal data stored on your school website to secure your school GDPR compliance. You can undertake a data mapping exercise to determine all the personal data you collect. This will help determine where that personal data is stored and processed, your purposes for processing and the legal basis you will be processing it under. Details of anyone your data will be shared with should also be included. A collated record of all the data you process (a data map) will be very helpful as you evidence and document the steps taken to achieve compliance with the GDPR.
Don't forget to include your photographs within your data mapping, and the principles within the GDPR that they need to meet. For example your data retention policy for photographs.
It might be a good idea to include specific cases for photographic use within your data retention policy if the retention period is going to be different.
For example the standard retention policy for your photographs might be 5 years. But a longer retention period for photographs used for a specific purpose may be appropriate. Let's think about photographs used in promotional materials and website news articles.
Promotional materials might be created less regularly than the retention policy typically lasts for. Rather than force a re-design for the materials, and a re-print. An extended retention period might be appropriate. For example if you have branded folders, prospectus cover folders or other long term printed branding materials that feature students in photographs an alternative retention period might be useful.
Website News Articles
News articles on your school website are likely to be one of the most frequently created content pieces on your website. Photos used in news articles can help give context and enhance the written content they are alongside. But with news articles going back for 6+ years still having the photos in place is a nice resource, for alumni as well as other visitors interested in the historical goings on of your school. An extended retention period for photographs used in this way will make your website a much more interesting resource, and a potential source of nostalgic looking back for your alumni.
You will need to justify this in line with the principles of GDPR though. Also don't forget about the decisions outlined in your retention policy. Put steps in place to delete photographs after their retention period has elapsed.
Your website will need to include some updated policies and procedures, some of them may even be new to your school website.
All Schudio clients have access to full control over their contact forms to ensure ongoing compliance with GDPR for schools. This critical feature makes it easy to meet the requirements around how you will be processing data.
The ICO (the supervisory authority for the UK) will be responsible for enforcing the GDPR. They have previously been responsible for enforcing the previous data protection legislation. But enforcement is not all they are responsible for. They provide lots of really helpful resources and guides to help get ready for the GDPR.
We'd love to hear from you if you'd like any more information about preparing for GDPR or want to talk to us about your school website needs. If you're looking for additional resources or school website requirements advice look around the rest of our website. It's packed with useful information. You might also find it helpful to use our School Website Compliance Software - a tool to help you audit your website regularly.
The department for education have released some suggested privacy notice templates for use by schools, and local authorities. These documents could be a helpful basis for creating the privacy notice for your school.
Click here to view the gov.uk page with the resources linked
Don't forget to include any website processing within your privacy notice too!
if you enjoyed this article, get email updates (it’s free).