GDPR: Schools need to face up to new regulations and act now

News Article

An IT expert has warned that schools may have to free up a member of staff to work three days per week on new EU data protection issues, which are set to take effect in May 2018.

The new General Data Protection Regulations (GDPR) mean that any organisation breaching the rules could be ordered to pay fines of up to 4 per cent of its turnover.

The new regulations, which are designed to improve the safety and security of all personal data held by organisations across Europe will still be binding in the UK after Brexit.

Mark Orchison, managing director of 9ine Consulting, said: “Lots of schools currently use IT equipment until it falls over and dies – with GDPR it’s a high-risk approach to continue using equipment that is out of warranty or doesn’t have up-to-date software.”

It is thought that a designated data protection officer might have to spend up to three days a week on data commitments and out-of-date IT equipment could have to be replaced, putting additional strain on school budgets.

Schools Week reported that during 2015, 66 schools admitted that they had suffered data breaches which included accidental loss, theft or revealing of information.

Although no action was taken in these cases, under new GDPR rules, similar cyber security breaches would require schools to alert the Information Commissioners Office within three days.

According to Orchison, it is “highly likely” that the ICO would take action if it was discovered that the school was not meeting the new rules.

The General Data Protection Regulation (GDPR), which will replace the Data Protection Act in May 2018, will apply to all organisations including academies and charitable organisations.

The GDPR will tighten the rules associated with the storage and handling of personal data. Organisations will be forced to maintain a thorough record of how and when an individual gives consent to be contacted, while individuals who opt to withdraw consent must be deleted from storage permanently.

Amongst other changes, these new measures will permanently alter the scope of business marketing activities.

B J Chong, a Partner with Palmers, who specialises in company law issues affecting the education sector, said: “The clock is ticking and many schools are still not getting to grips with the imminent changes to data protection which will significantly affect them.

“A potential breach could not only lead to a huge fine but also cause reputational damage to a school. It is important, therefore, to ensure that your organisation is fully up to speed with the full implications of GDPR, well in advance of May 2018.”

For help and advice on the implications of GDPR on the education sector and how your organisation can be fully prepared for the new legislation, please contact us.