This sessions provides 10 steps schools can take in the 10 weeks leading up to the enforcement of the General Data Protection Regulation on 25 May 2018.

1. Education law conferences 2018
Keynote 2: 10 steps in 10 weeks to GDPR
compliance

2. 10 steps in 10 weeks to GDPR compliance
Is it really that straightforward…?
Join the conversation #BJ_EDC

3. Why the change?
Very different data landscape than in 1998

4. Why the change?
90% of all data in the world today created in past few years
2.5 exabytes - that's 2.5 billion gigabytes (GB) - of data was
generated every day in 2012
2018 - 50,000 GB per second

5. Data per minute today
• 216,000 Instagram posts
• 204,000,000 emails
• 12 hours of footage is uploaded to YouTube
• 277,000 tweets are posted

6. Key points
• Comes into effect on 25 May 2018 across Europe
• Main concepts and principles remain the same, but new
elements of it enhance the provisions under the DPA
• Some hefty fines… Up to €20,000,000 fine

7. Sli.do – vote now
How are we feeling about GDPR?
• GDP what…?
• I’m getting there
• I’m worried about staff compliance
• I’m relaxed, I’ve got it all sorted

8. The 10 steps
Join the conversation #BJ_EDC

9. Steps to take now
1. Awareness and leadership across the trust
2. Review the information you hold and how and why you
process (include mapping tool)
3. Third party data sharing contracts
4. Review privacy notices and retention and destruction policy
5. Review procedures for individual rights and SARs

10. Steps to take now
6. Review how you obtain consent
7. Data breach management
8. Privacy by design
9. Take the opportunity to review staff practices
10. Consider training/re-education needs of staff

11. 1. Awareness and leadership
• Make sure decision makers aware of change and impact
• Nominate a responsible member of SLT
• Organise a working group (IT, HR) and put regular meetings
in the diary

12. 2. Information you hold
• Carry out a data mapping exercise
• Document the information you hold
• Where did it came from?
• With whom do you share it?
• Why are you keeping it?
This gets you 50% of the way there…

13. 3. Third party contracts
• Do you share information with other companies?
• Payroll?
• Catering contractors?
• Review the contracts. If they go beyond 25 May 2018 they
will require amendment to reflect GDPR changes
• Ask those third parties to confirm GDPR compliance

14. 4. Privacy notices and retention/destruction
• New privacy notices must include:
• Legal basis for processing
• Data retention periods
• Complaints
• Concise, easy to understand and language
• ICO privacy notice code of practice reflects changes

15. 4. Privacy notices and retention/destruction
• Do you have a retention/destruction policy?
• Why did you choose those timeframes?
• Do you follow it?
• IRMS Information management toolkit for schools

16. 5. Individual rights and subject access request
• Check procedures to make sure they cover all new rights
• Subject access
• Inaccuracies corrected - rectification
• Information erased (‘right to be forgotten’)
• Object to direct marketing and automated decision-making
and profiling

17. 5. Individual rights and subject access request
• Must provide the following to data subjects on request:
• Identity and contact details of data controller and DPO
• Intended purpose of processing and period it will be stored
• Existence of rights: access, rectification, object and erasure
• Right to complain internally and to a supervisory authority
• Categories of recipients to whom data will be disclosed
• Information must be concise, transparent, intelligible and
easily accessible

18. 5. Individual rights and subject access request
• No fee
• Must be provided in writing unless otherwise
requested (requestor can ask for electronic format)
• Must respond within one month - can extend for
complex requests
• Manifestly unfounded or excessive requests may
be charged for or refused
This gets you 70% of the way there…

19. 6. Consent
• Must be freely given, specific, informed and unambiguous,
and a positive affirmation of the individual’s agreement
• Cannot be bundled in with other terms/consents
• Withdrawal of consent should be as easy as grant
of consent
This gets you 80% of the way there…

20. 7. Data breach management
• Must have procedures in place to detect, report and
investigate a personal data breach
• 72 hours from the discovery of the breach to report to ICO
• Breach must be reported unless the personal data breach is
unlikely to result in a risk to the rights and freedoms of
natural persons
• Notify the affected data subjects

21. 8. Privacy by design
• At the outset of every project think about personal data
• Consider how you can minimise personal data use and risk
• Legal requirement to carry out a privacy impact assessment
• ICO guidance on privacy impact assessments

22. 9. Staff practices
…(Governors and trustees/directors too)
• Use of personal emails rather than trust emails?
• Taking hard copy personal data home/out of school?
• Downloading data onto a non-school device?
• USBs, discs, data rooms etc.
This is that difficult final 20%...

23. 10. Training/re-education
• Train staff to recognise a subject access request
• Train/re-educate regarding data security and off site use
• If policies are changed, consider how you disseminate and
evidence staff understanding
• What other training might they need?

24. Sli.do – vote now
How are we feeling about GDPR now?
• GDP what…?
• I’m getting there
• I’m worried about staff compliance
• I’m relaxed, I’ve got it all sorted

25. www.brownejacobson.com/education

26. Please note
The information contained in these notes is based on the
position at March 2018. It does, of course, only represent a
summary of the subject matter covered and is not intended to
be a substitute for detailed advice. If you would like to discuss
any of the matters covered in further detail, our team would
be happy to do so.
© Browne Jacobson LLP 2018. Browne Jacobson LLP is a
limited liability partnership.