General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) – Statement of Intent

On 25th May 2018, the current data protection law will change to become the General Data Protection Regulation (GDPR).  The GDPR will enforce a number of changes on the ways in which schools and businesses collect, store, use, manage, retain and eventually destroy the personal data of pupils, parents, staff, governors and others.  The Information Commissioner’s Office (ICO) has made it clear that, whilst the law comes into force in May of this year, it sees compliance with the law as being an ongoing process.  By this, it means that it expects organisations to be in a compliant state by May but that future events will undoubtedly influence the way schools work and so their ways of complying with the law will need to evolve as time progresses.

Guildford County School regularly reviews its ways of working to comply with the current data protection regulations and is now reviewing its practice with a view to being compliant with the GDPR by May 25th 2018.

Currently, we are:

1. ensuring that all school staff and governors are aware of the implications for school of the GDPR and planning how we will ensure that students and parents become aware;

2. reviewing our Data Protection Policy to make it GDPR compliant;

3. embarking on a continuing data protection training program using a variety of methods,

4. updating our knowledge of all the personal data we hold, where it comes from, where it is kept, how it is used, what efforts are made to keep it secure and how it is destroyed when it ceases to be of use;

5. reconsidering the legal justification(s) for our processing of personal data to ensure that we have the right to do this and reconsidering when we should ask for consent to process personal data;

6. revising our protocols for conducting common data protection processes including, the completion of Subject Access Requests (SAR), the assessment of data breach risks, managing data breaches, etc.;

7. creating Privacy Notices for pupils, parents, staff, governors and others to ensure that these groups understand why the school needs their personal data and what is done with it;

8. conducting Data Protection Impact Assessments (DPIA), where appropriate, to accurately identify, measure and minimise privacy risks associated with specific data processing activities;

9. reconsidering current ways of working to ensure that all data subjects are provided with opportunities to make use of their various rights under the GDPR;

10. where required, making immediate changes to our security measures and ways of working to strengthen compliance before the May deadline and ensuring that none of the school’s personal data remains in the possession of third parties when they can no longer justify holding it.