Last updated: 21.05.18

GDPR in education: are you ready?

As the new data protection regulations are established on May 25th 2018, education organisations are required to be prepared for the updated rules and requirements. Educators and data protection officers alike must be ready to comply with the changes, as well as being aware of the potential effects of the new regulations on their organisation. With this in mind, it is important to ask yourself: are you and your organisation ready for the new GDPR?

Safeguarding and education are major current topics of discussion across media platforms, with data protection compliance under constant scrutiny from the public. As such, the education sector will play a crucial part in maintaining all data protection legislation and acts whilst the new GDPR is introduced across the EU. The GDPR updates will strengthen and reinforce data privacy for all citizens within the EU, which increases the significance of the data controller roles.

Internally, new record-keeping processes will be implemented and all Data Protection Officers (DPOs) – whether current or in training – should only be appointed once their data protection law knowledge is deemed to be at an expert level. In any organisation involving data protection, the highest level of management should be informed of current GDPR operations and reported to via the DPO. These procedures aim to make data compliance and protection more thorough, with fewer privacy breaches and penalties as a result.

How will key changes within the GDPR be accessible for organisations?

Given the sensitive nature of most of the data within the education sector – that of children, families and staff – data processing has been adapted to accommodate a layperson’s approach. Legalese terms have been replaced with clear, legible language, pertaining to the ‘plain English’ approach to ensure conditions for consent are explicit in their meaning. There will be increased emphasis on the ease of ability to retract consent as well as permit it, to ensure all individuals within the education sector are protected and their data remains secure.

What should organisations focus on to ready themselves for GDPR?

To aid organisations in their preparation for the GDPR, the Information Commissioner’s Office (ICO) has developed a 12-step guide, preparing for the General Data Protection Regulation (GDPR), highlighting the main areas of change. Below are a few examples of the updated categories:

  • Individuals’ rights – you should check that your current procedures cover all the rights of an individual, including how you store or delete personal data.
  • Consent – you should review how you seek, record and manage consent.
  • Children – you should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

As well as focusing on preparing for the new areas of GDPR, organisations should also considerre-training current staff and establishing a standard level of GDPR practice throughout the whole organisation. Carrying out workshops and training programmes will help to cement the new regulations, but will also ensure that all members of staff understand the implications of GDPR on their specific roles within the organisation.

If you have any questions on the topic of GDPR in an Education setting, please don’t hesitate to contact Chris Sharman at Virtual College at who would be more than happy to help.