Presentation is loading. Please wait.

Presentation is loading. Please wait.

The GDPR & Schools - An Introduction -

Published byIlene Strickland Modified over 6 years ago

Similar presentations

Presentation on theme: "The GDPR & Schools - An Introduction -"— Presentation transcript:

1 The GDPR & Schools - An Introduction -

2 What is The GDPR The GDPR is the ‘General Data Protection Register’
It supercedes the Data Protection Act It comes into effect on the 25th May 2018 ANY organisation that holds data will need to comply Those found not to be compliant can be subject to a fine of 4% of their annual school budget

3 The Key Aspects Penalties Data Processors Suppliers Data Breaches
It will be mandatory to report data breaches within 72 hours to the ICO Fines up to €20 million or 4% of your annual school budget for non-compliance as well as your  Ofsted ratings being impacted if policies and processes are not in place It is the schools responsibility to ensure 3rd party suppliers that  process data for you also comply with GDPR GDPR demands a formal contract/SLA with all  suppliers,  including how data is stored and processed

4 GDPR gives more control to individuals,
Accountability Individual Rights Data Officers Evidence GDPR gives more control to  individuals,  including the right to redact data It will be  mandatory for schools to appoint a Data Protection Officer (DPO) Schools must be able to  demonstrate  compliance Schools must get it right now, in 2018 and beyond

5 The 9 Rights The GDPR outlines nine ‘rights’ that permeate the legislation. These are : Access Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data. Rectification Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data. Erasure In certain cases, individuals have the right to obtain from you the erasure of their personal data. Processing Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.

6 Portability Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller. Object In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes. Automation Individuals have the right to not be subject to a decision based solely on automated processing. Complaints Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities. Damages In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them.

7 (Data Protection Officer)
The DPO (Data Protection Officer) All schools must appoint a DPO They must not have any other duties / roles that could be seen to be a ‘conflict of interest’ e.g. Network Manager, safeguarding officer Is responsible for compliance – but senior management and Governors are equally liable Must have the requisite skills to undertake the role e.g. to investigate, audit, monitor, challenge Needs to be supported (financially) to ensure compliance

8 Vocabulary : Pseudonymisation
This new term refers to the technique of processing personal data in such a way that it can no longer be attributed to a particular data subject without cross referencing it with other further information. The further information must be kept separate and subject to technical and organisational security measures so as to ensure that the data subject cannot be identified. Pseudonomised information is still a form of personal data but the GDPR promotes its usage in certain circumstances in order to enhance privacy and contribute to overall compliance. E.g. GDPR may expect pseudonymisation to be considered when personal data is processed in a way which is “incompatible” with the purposes for which it was originally obtained. Alternatively, the technique could be appropriate for schools wishing to use pupil data for historical or statistical purposes.

9 Vocabulary : PIA’s Privacy Impact Assessments (PIA) are not new but what is new is that the GDPR will expect them to be undertaken in certain cases. PIA’s will need to be carried out when you are planning a new initiative which involves “high risk” data processing activities i.e. where there is a high risk that an individual’s right to privacy may be infringed such as monitoring individuals, systematic evaluations or processing special categories of personal data, especially if those initiatives involve large numbers of individuals or new technologies such as biometrics. The idea behind a PIA is to identify and minimise non-compliance risks.

10 Vocabulary : DPA’s Data Protection Audits : Schools should review and document the personal data they hold, identify the source and who it is shared with. This exercise is commonly called a data protection audit and can be deployed across the entire school or confined to distinct areas within the school. Unless you know what personal data you hold and how it is being processed, it will be difficult to comply with the GDPR’s accountability principles which require you to be able to demonstrate how the school complies with the data protection principles in practice. Another critical benefit of a data protection audit is that it map flows of personal data into and out of the school and can be used to measure the degree to which the school complies with the law and identify “red flags” which require urgent attention.

11 Vocabulary : DPPR’s The GDPR is likely to require all schools to review their policies, particularly those relating to data protection. Data protection policies for pupils and parents are used to explain an individual’s legal rights and how those rights can be exercised. Because the GDPR amends those rights, your policies will also have to be amended. Any policies also intended to be read by children will have to be explained in clear non – technical language and in a way that can be readily understood by the intended audience. You should ensure that your policies are easily accessible and not “buried” on your website.

12 Vocabulary : Training Schools will continue to be subject to an obligation to take organisational steps to keep personal data secure and the deployment of staff data protection training will continue to be expected. New starters should receive data protection training before they have access to personal data and existing staff should receive regular and refresher training. Schools that breach the GDPR (or the current DPA), will be criticised if they have failed to ensure that all staff that handle personal data have received data protection training. This is because, staff training is a simple organisational measure that an organisation can take to reduce the likelihood of data losses.

13 The Ten Steps To Implementation
1. Raise Awareness Understand the requirements, communicate what is coming to relevant parties e.g. staff, parents, governors 2. Accountability & Data Governance How will you demonstrate compliance to relevant parties ? 3. Communicate The need to tell individuals how you will use their data – how will you achieve this ? 4. Legal Grounds Ensuring that any data collected or held is within the law e.g. held with permission or on legal grounds 5. Consent The need to review how you seek consent and who you allow to give that consent

14 7. Right of Subject Access
6. Individual Rights How will these be communicated and protected e.g. the process for amending or changing data 7. Right of Subject Access The right to view any data held – how will this be managed ? No fee can be charged now. 8. Data Breaches The procedure for managing and informing and communicating. Plus, how breaches are used to improve practice. 9. Children Children now seen as ‘vulnerable’ and requiring ‘special consideration’. Can children approve / amend their own data ? 10. International Issues Does the school transfer data between itself and overseas ? Will the process comply with the GDPR requirements ?

15 The School Readiness Assessment Framework Should Be Used To Identify Areas of Strength and Weakness In Your School

16 The Support Pack Contains A Wide Range Of Resources and Help In
Preparation for the GDPR In Your School

17 The GDPR & Schools - An Introduction -

Download ppt "The GDPR & Schools - An Introduction -"

Similar presentations

Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Key changes with the GDPR

Key changes with the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research
Viewing the GDPR Through a De-Identification Lens

Viewing the GDPR Through a De-Identification Lens
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation

Similar presentations

Ads by Google