General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a piece of EU-wide legislation which will determine how people’s personal data is processed and kept safe, and the legal rights individuals have in relation to their own data.
‘Personal data’ means information that can identify a living individual.
The regulation will apply to all schools from 25 May 2018, and will apply even after the UK leaves the EU.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles. The main changes are:
- Schools must appoint a data protection officer, who will advise on compliance with the GDPR and other relevant data protection law
- Privacy notices must be in clear and plain language and include some extra information – the school’s ‘legal basis’ for processing, the individual’s rights in relation to their own data
- Schools will only have a month to comply with subject access requests, and in most cases can’t charge
- Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for children’s data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Organisations will have to demonstrate how they comply with the new law
- Schools will need to carry out a data protection impact assessment when considering using data in new ways, or implementing new technology to monitor pupils