Bursars Review | Spring 2018 | Sample

Feature 11 @the_isba Spring 2018 ■ Documenting your efforts. The Guide summarises here: https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/ accountability-and-governance/documentation/ the documentation schools should keep (1) to meet the direct requirements of GDPR and (2) to prove, as you may have to, that you are GDPR-compliant (for example, in obtaining consents, undertaking privacy impact assessments and providing privacy policy information). Data mapping/audit exercises will help as part of this exercise; all schools should be undertaking this as part of GDPR preparation, but such efforts must not end on or after 25 th May 2018 – as compliance is an ongoing process. ■ Draft guidance on consent. At the time of going to press, the ICO’s draft consent guidance from March 2017 (https://ico.org.uk/media/about-the-ico/ consultations/2013551/draft-gdpr-consent-guidance- for-consultation-201703.pdf) remains the most detailed record of its intentions in this regard, and the longer WP29 draft (i.e. the EU Guidance) from December 2017 is available here: https://iapp.org/media/pdf/ resource_center/wp29_consent-12-12-17.pdf . Both these contain some views on when consent is appropriate to obtain from a child, rather than a parent, in the meantime, ISBA has published its own guidance note on its website on consent as it applies specifically to schools, steering through this and other issues. ■ Brief guidance on privacy notices under GDPR . (See https://ico.org.uk/for-organisations/ guide-to-data-protection/privacy-notices- transparency-and-control/privacy-notices-under- the-eu-general-data-protection-regulation/ ) and a relatively up-to-date, but more general privacy notice guide, which was drafted in 2016 but with trends towards GDPR in mind https://ico.org.uk/for- organisations/guide-to-data-protection/privacy- notices-transparency-and-control/) ■ A code of practice for drafting privacy impact assessments (https://ico.org.uk/for- organisations/guide-to-data-protection/privacy- notices-transparency-and-control/privacy-notices- under-the-eu-general-data-protection-regulation/) is now three years old but still has merit in its approach as a tool for GDPR compliance.