Bursars Review | Autumn 2017 | Sample

Hopefully, whether or not you read the introductory piece in the Summer 2017 edition of the Bursar’s Review, the concept of the General Data Protection Regulation (GDPR) should not be new to you – and its impact day of 25 th May 2018 should come as no surprise. Pro-active steps to GDPR compliance For those of you who may have heard tell of the new UK Data Protection Bill, this does not change matters – it was an expected step to bring GDPR into UK law, regardless of Brexit. It was also necessary to fill in a few gaps which the EU left to individual governments to take a particular view on. Those familiar with the existing Data Protection Act may recognise some of the language in the UK Bill around exemptions for areas such as safeguarding and employment. By next year we may be referring to ‘DPA 2018’ rather than GDPR – but do not for one minute think that the GDPR compliance standards you have heard so much about in the past year will not still be a part of our law. Core themes of GDPR When advising schools on the impact of GDPR, I have been keen to emphasise three things: 1. Data protection is not simply an IT issue; it is a cultural one. It hinges most critically on the human factor, both in respect of the individuals (‘data subjects’) that the new legislation places at the heart of the law, and the organisations that are, themselves, primarily made up of people. 2. Good communication is vital to obtain the buy-in necessary to embed GDPR in your organisation – again, this means your communication to staff as well as to the pupils and parents (past, present or prospective) that will make up your ‘data subjects’. 3. Policy is part of culture and communication. It should exist as a living thing, not a piece of paper kept in a drawer or posted on the website and forgotten about. What is more, good policy should not simply be downloaded wholesale off a website. I will deal with the last point first, but return to it at the end (you must trust me that there is method in the approach!). How to update your privacy policy Many schools will share much of the same DNA, perhaps, in terms of what should go into the core privacy policy – but in order to get there it is critical to conduct a sweep of systems and data at your school. This is not simply an exercise in Feature Getting ready for GDPR The General Data Protection Regulation will take effect on 25th May 2018 Establish a squad of data privacy ‘champions’ in different areas of the school A full audit and assessment of practices should precede any attempt to update the privacy policy box-ticking or a way for lawyers or GDPR consultants to earn money. Not only is it critical to gain, and keep, this degree of corporate knowledge in-house – it is also something that, in terms of record-keeping, the regulator will expect to see has been conducted. The quality of your systems review prior to GDPR will be a major enforcement and compliance factor should the school's data protection practices be questioned by an individual, or in the media (for example due to a privacy breach or fundraising ‘scandal’). The phrase used to describe this process is called many things by different people – a data asset sweep, a DP audit, a systems review – but ultimately it fits within a term of art within the GDPR called a ‘privacy impact assessment’ (PIA). There is no set form to this, because a PIA can be short or long, and may concern new projects or a risk assessment of how things are done already – but the most major one a school is likely to undertake is the one that should be underway already. We will return, then, to the privacy policy later; the key message here is don't put the cart before the horse . In other words, you cannot expect to give an accurate description to the world at large about how you process personal data until you have a good grip on it yourself. Autumn 2017 www.theisba.org.uk 8 SEARCHOPTIMISATION WEBOPTIMISATION