THE management of data and information in schools will change with the introduction of the General Data Protection Regulation (GDPR) in 2018. Steve Nelson, operations director at Calibre Secured Networks, which provides IT services to dozens of schools, warns that those with responsibility for implementation need to start preparing for its arrival.
The GDPR will, from 25 May 2018, replace the Data Protection Act (DPA), signalling a change in the way schools manage and look after a wide variety of data and information: from paper in filing cabinets, through to the keeping of student and staff records to monitoring day-to-day activities and security.
It is essential that the people in charge start planning their approach to GDPR compliance sooner rather than later, and that all those involved are not only made aware of but also understand, the changes and embrace them - it may involve implementing new procedures to deal with greater transparency and individuals’ rights provisions with wider budgetary, IT, personnel, governance and communications implications.
Strengthen and unify
So what exactly is GDPR and how will schools be affected. And, importantly, what can they do about it in the coming next 12 months to be ready? In simple terms, it is a new data protection regulation that will strengthen and unify the safety and security of the information held by an organisation. Its set to replace the DPA, making radical changes to many existing data protection rules and regulations that schools among other academic and educational establishments currently adhere to under the DPA.
So what should you watch-out for? Under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see eye-watering fines of up to €20 million (or 4% of turnover – whichever is greater) for both the data controller and anyone else involved in the chain such as those with responsibility for data shredding and disposable.
Contract arrangements are set to change. Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen IT partner. It will also be a criminal offence to choose an IT recycling partner/data processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data and IT equipment.
Moreover, if you’re already complying with the DPA it doesn’t necessarily follow that you will be automatically compliant under the new GDPR law. While a number of the GDPR’s foremost principles are similar, there will inevitably be some new elements and significant enhancements, driving the need for some things to be done differently.
As such, the Information Commissioner's Office (ICO) guide is useful reading to ensure that decision makers and key people in schools are aware that the DPA is changing to the GDPR. Look at the information you currently hold and organise an information audit, documenting the personal staff and student data that’s held on file, where it came from and who accesses it. Review current privacy guidelines and draw-up plans to accommodate any necessary changes, while checking that current procedures cover all the rights individuals have, including how you would delete personal data or provide data electronically.
Make sure you’ve got the right procedures in place to detect, report and investigate a personal data breach and assign a data protection officer who can begin workingout when to start implementing the school’s Privacy Impact Assessments. E-safety is also of critical importance; so if you have a policy, review it to ensure it will be fit-for-purpose. If you don’t, having a clearly defined policy in place will be vital in ensuring that all key stakeholders know what needs to be done to remain compliant when the GDPR comes into effect. It also helps to protect all of the data that’s held on the systems within your school. An e-safety policy can help keep everything safe against any occurrence – be it malicious attacks on your network, viruses, phishing, or even the way your old IT technology gets disposed.
(There are a number of incidences where both the ICO and Ofsted have come down hard on institutions that fail to have the correct policies and procedures in place. Best practice is to find a suitable partner who can help you manage all of that in asafe, secure and compliant way).
There are a plethora of IT partners out there who can help and hold relevant accreditations such as ADSIA with Distinction, Blancco and ISO 27001 but also consider factors beyond paper credentials and accreditations.
Start by identifying exactly what it is that you are looking for. And to do this, it’s essential to bear in mind budgets, service-level agreements, current technology, and the availability of internal IT expertise. Also, better to opt for a single source supplier who offers hardware, software, networking and support. This can avoid the need for multiple suppliers, problems relating to aftersales and technical support, and poor levels of customer service (be wary of the supplier who’s not prepared to go the extra mile to prove the value of the partnership).
It’s important to have some element of SLA in place, which should be linked to what you want from the service that can directly contribute to GDPR and never be afraidto challenge your supplier over SLAs, and undertake regular reviews. These will not only reveal if conditions are being met, but ensure you have clear and realistic expectations from the outset. Insist on having a dedicated contact or account manager to avoid the confusion and stress of contacting a different person every time you ring up.
Another key to success is identifying and preventing problems before they happen to reduce downtime. A decent service provider will regularly visit customers to assess and identify how IT is currently used, and what changes can be made to better manage it in future - their familiar face at your premises will reflect a willingness to demonstrate the value they place in you as a customer. And what happens if your school expands or needs change in the run-up to the arrival of GDPR and post event?
It’s important the supplier works with you to plan for growth and change as it’s easy to forget that extra staff places or additional pupil numbers place increased demand on IT resources and capabilities. A good IT supplier should be able to help predict how your needs will change in line with your strategy. So plan to build your IT in a highly scalable way.
There’s little doubt that GDPR is set to have an impact but how much remains to be seen. One thing is for sure: schools need to be thinking about how it will impact on them and, if necessary, seek out external partners who have the wherewithal to help them understand how to leverage technologies so that when it does come into force, they’re ready for it. More about GDPR at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/