Bursars Review | Spring 2018 | Sample

Spring 2018 www.theisba.org.uk 12 Feature ■ Draft guidance for consultation on the relationship between data controllers and data processors under GDPR https://ico.org.uk/media/about-the-ico/ consultations/2014789/draft-gdpr-contracts-guidance- v1-for-consultation-september-2017.pdf) . ISBA has also published materials on this in its online reference library at https://members.theisba.org.uk/53562 ■ A series of myth-busting blogs by the information commissioner https://iconewsblog.org.uk/ tag/gdprmyths/ do help cut through some of the scaremongering and misinformation, while reminding organisations that GDPR does mean change and a higher standard of data protection must be met. One reassuring message is that the ICO intends to use its new fining powers “judiciously and proportionately”, and that its enforcement priority will be action against those who “systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks”. All good news for schools taking reasonable and proportionate care to comply with the new law (including, as above, documenting whatever steps are taken). However, advancement teams and alumni organisations may find this message hard to square with the fairly aggressive enforcement line taken on fundraising over the past two years. What guidance is still to come? In addition to the final consent and data processor guidance as above, the ICO has promised two further imminent guidance notes of particular relevance to schools; guidance on GDPR and Children, and guidance on legitimate interests (which many schools will be relying heavily on). Looking beyond these, we still await a more granular, sector-specific view from the ICO on: ■ who needs to appoint a DPO and whether this applies to non-academy independent schools (but as per previous articles, we are suggesting that such schools do not rush into the appointment before this is clear); ■ a fully GDPR-focused guide to privacy notices and PIAs; ■ updated GDPR guidance on the impactful area of subject access and fuller guidance on the other, new individual rights; and ■ new guidance on direct marketing (with specific impact on the area of fundraising).