In the months leading up to the General Data Protection Regulation (GDPR) deadline of May 2018 you can rely on Finalsite to help you prepare by providing you with the most reliable, accurate information that is relevant to the education sector. The spirit of GDPR is to put customers in charge of their data and how it's used. This EU regulation is designed to unify and strengthen data protection legislation for individuals within the EU, while enhancing protection for EU citizens handled by organisations outside of Europe. Any school or organisation that collects data from within the EU must comply with this new regulation.
How Should My School Prepare?
In this article we'll highlight the key changes and the first steps that you can take to prepare your school website for the GDPR, according to the Information Commissioner's Office ICO. It is also important that you visit the education sector resources page on the (ICO) website.
Here are the 12 steps to take now; you'll need to check them all, but keeping reading to learn about the highlights that matter.
Privacy Notices
Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling the data. GDPR requires that the information provided is concise, easy to understand and in clear language. Make sure you read the ICO's privacy notices code of practice and make the changes you need.
Individual Rights
The main rights for individuals under the GDPR will be:
- subject access
- to have inaccuracies corrected
- to have information erased
- to prevent direct marketing
- to prevent automated decision-making and profiling, and data portability
Subject Access Request - SARs
The rules for dealing with subject access will change under the GDPR. In most cases you will not be able to charge for complying with a request and you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access requests - manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
Consent
If you process any personal data on the basis of consent, you'll have to review how you are seeking, obtaining and recording consent and whether you need to make any changes. Consent must be freely given, specific, informed and unambiguous, and a positive affirmation of the individual's agreement. This will likely be relevant for any contact preferences you may have set up with parents and alumni, perhaps for school fundraising purposes. Additionally, the data must only be used for the purposes that consent has been given. EG if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list.
Children
You need to start thinking about whether you will need to gather parental or guardian consent for the data processing you carry out. For the first time, the GDPR will bring in special protection for children's personal data, particularly in the context of commercial internet services (social networking). If you arrange for your children in your school to sign up for apps in the classroom or for homework, you'll need to think about how consent can be obtained.
Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach - for example if you lose some personal data or disclose data to the wrong recipient. The GDPR will bring in a breach notification duty for all organisations. Not all breached will have to be notified to the ICO - only ones where the individual is likely to suffer some form of damage, such as through identity theft or confidentiality breach. If you need to report it you'll have to do it within 72 hours of the breach being discovered.
Data Protection by Design and Data Protection Impact Assessments (DPIA)
When your school is considering using data in new and innovative ways, or considering implementing new technology to monitor pupils in some way, it's currently good practice to carry out privacy impact assessments. This will become a legal requirement in some circumstances under the GDPR. You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how to implement them in your organisation. You should start to assess the situations where it will be necessary to conduct DPIA. It has always been good practice to adopt a privacy by design approach and the ICO has recommended organisations use privacy impact assessments for some time now. However, the GDPR will make this a legal requirement for some projects.
Data Protection Officers
Many schools will need to designate a Data Protection Officer - and all public authorities must. You'll need to decide who this will be - or at least identify someone to take responsibility for data protection compliance and assess where this role will sit in your organisation's structure and governance arrangements. According to the Article 29 data protection working party the DPO requirements only apply to large enterprises with more than 250 employees. However DPO would be required for companies processing personal data of more than 500 individuals per year and any public authority. In some circumstances the role of DPO can be allocated to an existing employee as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally. The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law.
Our School Doesn't Process Personal Data But My Google, Mailchimp, MIS Does?
The GDPR would call these systems third-party data processors. They are processing the data controller's data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment, if they have not already done so. Finalsite is currently on track to meeting GDPR compliance. US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US.
How To Start The Process Of Making Your School Website GDPR Compliant?
Take a personal data audit. A personal data audit will help you to identify all of your data processors. List them all with either a 1 or a 3 to help you track which are first and which are third-party data processors.
For each data processor consider the following:
- What are you using the data for?
- Where is the data being stored?
- Do you still need the data?
For each of the third-party data processors, check their respective privacy policies and make sure that they are GDPR compliant. US-based data processors should be Privacy Shield compliant. If the third party is not yet compliant with GDPR or Privacy Shield contact them and find out if and when they plan on becoming compliant. In the unlikely situation where a third-party data processor is not compliant and has no plans to become compliant by the 25th May 2018 deadline, you should seek to replace them with a similar but compliant provider.
Finalsite Clients Can Sleep Soundly The Night Before GDPR!
Another significant part of the GDPR is the idea that digital systems include privacy by design (also referred to as privacy by default). Put simply, a user's privacy should be fully considered at the very core of any digital system. By default, privacy settings should be set to their highest level with a user given options to downgrade this if they choose to.