This sessions provides 10 steps schools can take in the 10 weeks leading up to the enforcement of the General Data Protection Regulation on 25 May 2018.
4. Why the change?
90% of all data in the world today created in past few years
2.5 exabytes - that's 2.5 billion gigabytes (GB) - of data was
generated every day in 2012
2018 - 50,000 GB per second
5. Data per minute today
• 216,000 Instagram posts
• 204,000,000 emails
• 12 hours of footage is uploaded to YouTube
• 277,000 tweets are posted
6. Key points
• Comes into effect on 25 May 2018 across Europe
• Main concepts and principles remain the same, but new
elements of it enhance the provisions under the DPA
• Some hefty fines… Up to €20,000,000 fine
7. Sli.do – vote now
How are we feeling about GDPR?
• GDP what…?
• I’m getting there
• I’m worried about staff compliance
• I’m relaxed, I’ve got it all sorted
9. Steps to take now
1. Awareness and leadership across the trust
2. Review the information you hold and how and why you
process (include mapping tool)
3. Third party data sharing contracts
4. Review privacy notices and retention and destruction policy
5. Review procedures for individual rights and SARs
10. Steps to take now
6. Review how you obtain consent
7. Data breach management
8. Privacy by design
9. Take the opportunity to review staff practices
10. Consider training/re-education needs of staff
11. 1. Awareness and leadership
• Make sure decision makers aware of change and impact
• Nominate a responsible member of SLT
• Organise a working group (IT, HR) and put regular meetings
in the diary
12. 2. Information you hold
• Carry out a data mapping exercise
• Document the information you hold
• Where did it came from?
• With whom do you share it?
• Why are you keeping it?
This gets you 50% of the way there…
13. 3. Third party contracts
• Do you share information with other companies?
• Payroll?
• Catering contractors?
• Review the contracts. If they go beyond 25 May 2018 they
will require amendment to reflect GDPR changes
• Ask those third parties to confirm GDPR compliance
14. 4. Privacy notices and retention/destruction
• New privacy notices must include:
• Legal basis for processing
• Data retention periods
• Complaints
• Concise, easy to understand and language
• ICO privacy notice code of practice reflects changes
15. 4. Privacy notices and retention/destruction
• Do you have a retention/destruction policy?
• Why did you choose those timeframes?
• Do you follow it?
• IRMS Information management toolkit for schools
16. 5. Individual rights and subject access request
• Check procedures to make sure they cover all new rights
• Subject access
• Inaccuracies corrected - rectification
• Information erased (‘right to be forgotten’)
• Object to direct marketing and automated decision-making
and profiling
17. 5. Individual rights and subject access request
• Must provide the following to data subjects on request:
• Identity and contact details of data controller and DPO
• Intended purpose of processing and period it will be stored
• Existence of rights: access, rectification, object and erasure
• Right to complain internally and to a supervisory authority
• Categories of recipients to whom data will be disclosed
• Information must be concise, transparent, intelligible and
easily accessible
18. 5. Individual rights and subject access request
• No fee
• Must be provided in writing unless otherwise
requested (requestor can ask for electronic format)
• Must respond within one month - can extend for
complex requests
• Manifestly unfounded or excessive requests may
be charged for or refused
This gets you 70% of the way there…
19. 6. Consent
• Must be freely given, specific, informed and unambiguous,
and a positive affirmation of the individual’s agreement
• Cannot be bundled in with other terms/consents
• Withdrawal of consent should be as easy as grant
of consent
This gets you 80% of the way there…
20. 7. Data breach management
• Must have procedures in place to detect, report and
investigate a personal data breach
• 72 hours from the discovery of the breach to report to ICO
• Breach must be reported unless the personal data breach is
unlikely to result in a risk to the rights and freedoms of
natural persons
• Notify the affected data subjects
21. 8. Privacy by design
• At the outset of every project think about personal data
• Consider how you can minimise personal data use and risk
• Legal requirement to carry out a privacy impact assessment
• ICO guidance on privacy impact assessments
22. 9. Staff practices
…(Governors and trustees/directors too)
• Use of personal emails rather than trust emails?
• Taking hard copy personal data home/out of school?
• Downloading data onto a non-school device?
• USBs, discs, data rooms etc.
This is that difficult final 20%...
23. 10. Training/re-education
• Train staff to recognise a subject access request
• Train/re-educate regarding data security and off site use
• If policies are changed, consider how you disseminate and
evidence staff understanding
• What other training might they need?
24. Sli.do – vote now
How are we feeling about GDPR now?
• GDP what…?
• I’m getting there
• I’m worried about staff compliance
• I’m relaxed, I’ve got it all sorted