Experts have called on the Department for Education (DfE) to do more to help schools comply with the new data protection act.
The General Data Protection Regulation (GDPR) comes into force on 25 May, affecting all public and private sector institutions and how they will handle data in the future.
But Geoff Barton, the general secretary of the Association of School and College Leaders, said he has been disappointed with the department’s input on this issue.
Likewise, head teacher Robin Bevan said he has been forced to pay £200 to hire a data consultant to train staff.
“It all seems quite small-scale, until you do that calculation: with 20,000 schools at £200 a time, suddenly £4 million of public money has been spent simply because the DfE failed to publish a simple booklet of advice for schools,” he said.
A Government spokesperson said the DfE “is working with a number of schools and other sector representatives to develop further guidance and case studies to help schools prepare for the introduction of the upcoming legislation.”
So, what is the GDPR?
The key differences are seen in how personal data is stored and used. For example, schools will be forced to maintain records of ‘consent’ and students and other data subjects will be gifted the right to be ‘forgotten’.
All ‘personal’ data is protected by GDPR. That includes online and offline identifiers, such as IP addresses and phone numbers. As a general rule of thumb, any information which falls within the scope of the DPA, will also fall within the scope of the GDPR.
The other key difference is in the penalties for organisations which fail to proactively protect student data.
Under the new regime, the Information Commissioner’s Office (ICO) can issue fines of up to four per cent of global turnover, or 20 million euros, whichever is higher.
Comparatively, current rules mean ICO has the power to charge a maximum of £500,000.
From staff blunders to cyber-attacks, a potential data breach can happen at every level of your school. That’s why preparation and due-diligence will be your first line of defence in protecting your students’ data.
GDPR is arguably one of the most significant changes in corporate law in the last decade, meaning academy leaders will do well to put in place measures to protect student data before the May deadline.