Look twice
New Year’s resolution – review your data protection! Chris Berry urges independent schools to consider the implications of GDPR The General Data Protection Regulation (GDPR) is new EU legislation that reforms laws regarding the handling of personal data and will come into effect in the UK from 25th May 2018. The introduction of the GDPR significantly raises the bar for personal data privacy and most organisations, including schools, will have to examine and determine how they collect, store, manage and protect personal data in order to comply with the GDPR. For those that don’t comply, the penalties are severe. Fines can be as high as 20 million Euros for serious violations of the GDPR, or 4% of a company’s global turnover, whichever is greater. The severity of these fines is a sign of how seriously the GDPR should be taken. Schools will need to review current practices and make necessary changes to the way they handle their workforce data. With less than six months until the GDPR comes into force, many independent schools have failed to start planning, some believing, wrongly, that the new regulations won’t affect them. Where preparations have been undertaken, the effort tends to be limited to the protection of the personal details of parents and pupils. But staff will be very much affected as well. In particular, separate data management for employees, supply, peripatetic staff and volunteers could render independent schools vulnerable under the new regulation. The management team within independent schools will have an important role to play in protecting the data they hold on their entire workforce. Given the implications, this is not something HR professionals can ignore. The school will be held accountable if things go wrong. GDPR will fundamentally change how schools handle personnel data. The main changes are around the way staff can access, correct, delete and transfer their details. Key changes will include making sure that permission to process data has, where necessary, been opted-into, and not assumed. Policies will have to communicate clearly what data is being stored, how it will be used and how long it will be held. Schools will also need to ensure that, when consent for storing or processing data is withdrawn, the affected data is deleted unless there is another legal basis for retaining it. For those in the management of schools, this means a rethink about how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and handling safeguarding records. Many schools are running separate data sets for staff, supply teachers, peripatetics and volunteers, which could leave some parties more open to data breaches. So a key move will be to ensure that the same protection is being extended to all team members. Added to this, new accountability measures
will make it important that systems are in place to show that the regulations are being met. The Information Commissioner’s Office (ICO) provides a best practice recommendation that organisations should try to give individuals remote access to a secure self-service system so that they have direct access to their own information. Self-service functionality provides transparency and enables individuals to ensure data accuracy. Using CIPHR’s SaaS HR system, employees, trainees, supply teachers, peripatetic staff, job applicants and volunteers can access and update their own personal information via a secure self-service portal. CIPHR offers tools that will help you to document when consent from employees and volunteers was granted for processing personal data. CIPHR also has integrations with leading School Management Systems to ensure that personnel details are kept up to date and are transferred between the platforms securely. Here are 9 suggestions, although by no means definitive, of things you can do to prepare for the GDPR before May 2018. 1. Start the Discussion Regulations are likely to impact several areas of your school and you need to raise awareness not just of the oncoming implementation but also the seriousness of any breaches or non-compliance. 2. Assess your Current Compliance Use the opportunity to assess and discuss where you are with compliance currently and identify any new requirements from the GDPR that may affect your school. You will need to examine how and where you use the personal data you collect, and audit how you store and track that data. 3. Review Privacy Notices and Policies Take the time between now and May to review how easily understood your current privacy notices are, and update them to include the additional information and more stringent regulations of the GDPR. Review your current data protection policies and practices including existing employment contracts, staff handbooks and employee policies. 4. Educate Yourself on the Requirements Make sure you study and fully understand the more detailed regulation, and ensure that the relevant people within your school have received the training they require to understand the new laws. 5. Consider Consent The GDPR states that consent from the individual needs
Spring 2018
49
