We #StandWithUkraine, find out how to help here.
Last updated: 23.02.18

GDPR In Education: How Schools Can Prepare

The GDPR deadline might only be a couple of months away, but that doesn’t mean that there isn’t still time to ensure that you’re doing everything you can to meet the requirements it sets out - whatever industry you’re operating in. In this article, we’re going to take a look at the education sector in particular. What is GDPR for schools, and what can schools do to make sure that they stay on the right side of the law?

First, let’s briefly cover the top-level details of the General Data Protection Regulation. It’s actually almost two years since the regulation was agreed upon and adopted by the EU, but it becomes fully enforceable on 25th May 2018. The overall aim of it is to give EU citizens more control over their own data when it gets handed over to organisations.

There are a variety of elements to GDPR, but the main ones are fairly straightforward. Perhaps the one that brings the biggest change is that data can’t be processed without good legal grounds to do so. In most cases there are going to be two justifications for this. The first is that the data has to be collected and processed in order to carry out the service requested, and the second is that the organisation has received explicit consent. This will be a big issue for businesses that want to continue marketing to people after they’ve made a purchase, and buying contact lists is likely to become a thing of the past. For the education sector, it’s less likely that this part of GDPR will be important, but it’s certainly worth bearing in mind. Universities for instance won’t be able to continue emailing alumni for support unless they can prove they’ve been given consent to do so.

Another change is around personal control of data. EU citizens will now have the right to request all of the data held by an organisation about them, and they can also insist upon its deletion too. Again, this is unlikely to directly affect schools and other education providers, but it’s worth being aware of.

So why is GDPR important to schools?

One of the major issues is that schools notoriously tend to have poor IT systems, especially when it comes to the accurate and safe storage of information. This often comes down to budget restrictions, which means that IT systems meet the bare minimum requirements, and aren’t updated and replaced until the very last minute. In many cases, information will be stored on very insecure and potentially inaccurate spreadsheets Unfortunately, this will not be acceptable under GDPR, which does demand robust storage systems.

Schools’ data storage solutions going forward will need to be:

  • Highly secure, with encryption at every opportunity, to ensure that all held data is kept as safe as it can reasonably be
  • Easy to access, so that any access requests that come in can easily be fulfilled in the specified time frame
  • Easy to change, so that any changes in the data can be made without difficulty, particularly in respect to the removal of data
  • Useable with metadata, which is to say that schools will need to keep record of certain things, such as the period of time the data can be legally held for, or whether or not explicit permission has been given for certain data to be used

In order to accomplish the above, many educational establishments will need to re-assess the system they are using, and there are many potential options. While GDPR does set out new standards, it does not go into any detail about how they should be met, so organisations are free to use whichever system suits them. This could be an in house, external or cloud based solution. In many cases it will be wise for organisations to consult an IT expert for guidance in this area.

As part of this, it’s highly likely that many schools, particularly larger ones, will need to employ or designate a data protection officer if they haven’t already done so. It will be this person’s responsibility to both implement data protection policies, and ensure that they’re being adhered to by relevant members of staff. Indeed, in certain cases GDPR mandates the appointment of a data protection officer.

For more information about the specifics of GDPR and how it might affect your business or organisation, then take a look at our free GDPR resources.

Related resources