Presentation is loading. Please wait.

Presentation is loading. Please wait.

The EU General Data Protection Regulation (GDPR)

Published byEmmeline Claribel Newton Modified over 6 years ago

Similar presentations

Presentation on theme: "The EU General Data Protection Regulation (GDPR)"— Presentation transcript:

1 The EU General Data Protection Regulation (GDPR)
Why it matters to your school Claire Ashton

2 Comes into force on May 25th
Is a law and all schools must be compliant Additional accountability A higher profile for data protection Enhanced rights for data subjects Higher expectations from everyone

3 Preparing for Compliance
What is the GDPR What isn’t the GDPR Protection for individuals Modern EU wide A law More accountability for organisations All about fines Only relevant until Brexit Something to ignore

4 Preparing for Compliance
What is the GDPR What isn’t the GDPR Expect an increase in the profile of data protection Protection for individuals Modern EU wide A law More accountability for organisations All about fines Only relevant until Brexit Something to ignore

5 Preparing for Compliance
Does your school need to comply with GDPR? When? Our survey results show that fewer than half of you feel that you meet the current DPA

6 Preparing for Compliance
Does your school need to comply with GDPR? When? Misconception Schools have a grace period Our survey results show that fewer than half of you feel that you meet the current DPA

7 Your school’s role Is your school a data processor or a data controller? Accountability Need policies, procedures and to mitigate risks Contracts with data processors (vendors) Need to notify supervising authority (ICO) in case of a serious data breach ICO carrot (want to help organisations be compliant and do the right thing); stick (liable for fines if not – especially if no sign of working towards compliance after a breach). Key message – responsibilities have increased for data controllers and must show accountability for how data is handled/protected… there are tools to help demonstrate accountability by mapping

8 Your school’s role Definitions
Controller: Determine which personal data will be collected, from whom, why, how long it will be kept for and how it will be processed Processor: Process the data on behalf of the data controller and decide which systems to use to do so Is your school a data processor or a data controller? Accountability Need policies, procedures and to mitigate risks Contracts with data processors (vendors) Need to notify supervising authority (ICO) in case of a serious data breach ICO carrot (want to help organisations be compliant and do the right thing); stick (liable for fines if not – especially if no sign of working towards compliance after a breach). Key message – responsibilities have increased for data controllers and must show accountability for how data is handled/protected… there are tools to help demonstrate accountability by mapping

9 Document that you comply with the GDPR
GDPR Article 24 “...the controller shall implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that processing is performed in accordance with this Regulation...” Document that you comply with the GDPR GDPR Article 29 “...the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation...”

10 GDPR Article 28 “…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Only use processors that comply with GDPR and prove it GDPR Article 29 “...the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation...”

11 Preparing for Compliance
Personal data must be Processed lawfully For a specific purpose Kept to a minimum Accurate and up-to-date Retained only for as long as it is needed Kept securely The Six Data Principles

12 Do we need consent? Do you need consent for every piece of personal data you hold? The age of consent for data processing is 13 in the UK In schools generally only for the use of photographs on promotional activities such as the website and when sharing news with local papers and social media Consent must be explicitly given

13 Reasons to process data
Contractual Legal obligation Protecting vital interests Public interest Consent Legitimate interest Lawful Basis for Data Processing      Known as the lawful basis Contractual Such as employment contracts for staff. Legal obligation Such as collecting attendance data for statutory returns. Protecting vital interests Such as disclosing medical information to health professionals or information for references. Public interest This applies to data collected for statutory purposes. Consent For children under the age of 13, this consent must be given by their parents. Consent may also be withdrawn. Applies to photographs and information on the website Legitimate interest Such as for marketing purposes. If you do use marketing, consent is the most appropriate basis for processing this data.

14 Preparing for Compliance
Right to be informed Right of access Right of rectification Right of erasure Right to restrict processing Right to object Right to data portability Rights in relation to automated decision making The Rights of Data Subjects Survey response 20% of schools have had a subject access request 27% aren’t sure Right of access relates to subject access requests and the data must be shared with the data subject within one month Schools not comfortable with rehearsing an SAR can document their experiences of them and how they would improve processes in the future SIMS has a new report. There is a new access level called Data Protection Officer and a subject access report which downloads all of the information in SIMS on that individual - lots of data is spread across the school but this is a start Schools say that subject access requests tend to be From parents when their child has had an issue with another child – issues over protecting the other child’s information here From staff when there is a grievance

15 The Data Protection Officer
As a public body, maintained schools and academies need a DPO Unclear if the LA is responsible for this for maintained schools Can be shared across schools or a DPO on demand service Must be impartial Takes an advisory and monitoring role Guides your school to compliance It is your school’s responsibility to follow this guidance

16 Who can be the DPO? DPO finding service from ESP Education Professionals Discussion over who is suitable. In the room, there is likely to be individuals with this responsibility under DPA but not appropriate following GDPR

17 Data Mapping Step one Identifying the data What personal data do you hold?

18 Data Mapping Definition
Any information related to a natural living person, that can be used directly or indirectly, to identify the person Step one Identifying the data What personal data do you hold?

19 Take one piece of data Work through the activity What are the risks?
How do we mitigate? Debrief and discussion How many types of data? (who got most circles filled in?) Discuss scope in terms of data and data flows: Where is it? What systems? What formats Who has access? What suppliers? What is covered by GDPR? (Key message – need to know what data you hold, why you need it (legal basis/consent) and be able to map where it is / where it goes etc… importance of data audit) Also helps if there is a breach to know what data is breached and how sensitive it is

20 Documents and Communication
Update privacy notices and policy documents Ensure transparency Review contracts Updated privacy notices from the Department last week

21 Changing Behaviour What’s your biggest concern about changing staff behaviour? Where in school are you storing data you no longer need? Is there a culture of copying everyone in on s? Discussion over if your school is generating more data through poor management Can introduce system control where all s are archived/deleted after so long

22 Data Breaches Losing data Sending it to the wrong person
Unauthorised people accessing it ing it over unencrypted Applies to electronic and paper copies of data Serious breaches must be reported to the ICO within 72 hours Encrypted data does not have to be reported, eg encrypted memory sticks Using free internet in cafes to work potentially poses a greater risk than using unencrypted . Comment from an IT systems manager that indivudla’s laptops are more likely to be intercepted and watched when staff are using insecure connections rather than their s being intercepted. The ICO reports that 54% of organisations have been hit with ransomware - when a hacker accesses your personal/corporate information and threatens to publish it Schools may have encrypted s within their own or the LA servers Many don’t understand what this means and think it is using passwords on devices

23 Protecting personal data
Do you have a procedure for dealing with a data breach? Discussion – what are the implications of a breach? (Data subjects’ rights + reputation of school + possible fines) – when and how do they need to be reported (to ICO + to data subjects) – How would you manage this process in your school? Do you have a procedure for this? Key message – The actions taken to safeguard personal data indicates that an organisation takes rights of pupils and staff. Seriously. Majority of breaches are down to human error or lack of awareness – importance of training

24 Changes to Registration Fees
New fee system from April 2018

25 Five steps to compliance
Know what information your organisation processes and where it is. Assign a DPO Do not delay. Make sure GDPR is an agenda item on SLT and Governor meetings Get procedures and policies up to date. Communicate clearly Ensure your staff are trained and aware of how to protect data and what to do if something goes wrong Make sure that your suppliers are compliant - do they process data overseas?

26 How we can help Training and support Compliance platform
Gap analysis and action plans Highlight the poster, designed to be as the Health and Safety ones and displayed in the staffroom

27 E-learning training

28 Compliance platform

29 Further information www.ico.org.uk Twitter @ICOnews
Training and guidance Compliance platform Advise to follow ICO and set-up alerts to save time looking through their website for updates

Download ppt "The EU General Data Protection Regulation (GDPR)"

Similar presentations

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust

Data Protection Update – GDPR or bust
GDPR support January GDPR support January 2018.

GDPR support January GDPR support January 2018.
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
GDPR Road map to Compliance.

GDPR Road map to Compliance.
General Data Protection Regulations

General Data Protection Regulations
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.

Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.

Similar presentations

Ads by Google