“The education sector saw 19 breaches in the last quarter, many of which were due to the loss or theft of an unencrypted data storage device.”1 As a school, the data that you store and process is invaluable. If it gets into the wrong hands and or is misplaced, your school will be affected severely.
What is Required:
With GDPR in place, your school will have to ensure that the data stored is kept secure at all times. Schools are highly targeted by cyber-attacks and if any data is lost this can spell serious trouble.
In regards to data, your school will have to ensure:
- • Consent – Consent has to be informed and transparent. Schools have a requirement to state clearly, why they are collecting the data and what they plan to do with it. Consent has to be as easy to withdraw as it was to give and where the data subject is under 16, parental consent will be required. When an organisation shares data with a third party, consent will need to be gained from the data subject.
- • Breach notification – Schools are required to inform the Supervisory Authority (in UK case ICO) within 72 hours of a breach where personal data has been or could have been compromised. Schools also have a responsibility to inform data subjects of any breach.
What to Remember When Processing Data:
- How you process data - GDPR states that data should be processed lawfully, fairly and in a transparent manner. This means that your school data must be securely processed, in such a manner that ensures personal data is not exposed to unauthorised access. It is also important to protect data from unlawful processing or loss through an internal staff member.
- Consent for data collection and retention - Consent must be freely given, explicit and demonstrable. It has to be clearly presented and distinguishable from other content. Should the person want consent removed it should be able to be withdrawn at any time. It should essentially be as easy to withdraw consent, as it was to give it. As a school it is extremely important to have parental consent if under 16 years old.
- The right to be forgotten - Now called “erasure”, individuals can require data to be ‘erased’ when there is a problem with the legality of the processing or where they withdraw consent. Data subjects can request deletion of their data and schools have a responsibility to ensure all data they hold is removed and any data they have supplied to third parties. There are certain circumstances where this request can be denied. Schools can also suspend processing whilst investigating the request.
How Does This Affect Your School?
Should your school not comply with GDPR or experience a data breach, not reporting it adequately can result in a penalty. The regulation states that penalties should be significant enough to make compliance economically sensible. Penalties will be dependent upon the nature and gravity of the infringement. They are: 2% of worldwide turnover or €10m whichever the greater or 4% of worldwide turnover or €20m whichever the greater. Not to mention the negative public attention & reputation the school will receive because of this. With the above in mind, your school should ensure that processing data is not an issue.
How Can Sweethaven Help?
IASME & Cyber Essentials Accreditation - Sweethaven is an accredited assessing body for CyberEssentials and IASME and is now aptly qualified to offer security and information audits with subsequent recommendations for next steps to our customers. Our Sweethaven Security 360 Review will work through a systematic process with you to audit your current IT network, data structures and security policies before compiling a comprehensive list of recommended next steps to achieve optimal network security and bring your school into line with upcoming GDPR requirements.
Data Protection Officer - Sweethaven Education Services are delighted to be teaming up with Judicium Education to offer fully comprehensive outsourced DPO services that combines regulatory and technical GDPR compliance. Through combining Sweethaven’s technical knowledge of your site and Judicium’s legal experience, we are together now able to offer a fully outsourced named DPO with helpline and data check backs.
Teaching Continuity Solutions – Check out one of our latest blogs that discusses Teaching Continuity and the importance of implementing a BackUp and or Disaster Recovery solution for your school. Read more here: Ensuring Teaching Continuity in Your School
For more information on any of the above, please do contact the team on:
Phone: Give us a call on 01737 247 090.