Bursars Review | Spring 2018 | Sample

The Bursar’s Review has run a series of articles on preparation for the General Data Protection Regulation (GDPR) which takes effect on 25 th May 2018. Here, we look back to the guidance given in the Summer and Autumn 2017 editions and consider where we are – specifically in respect of expected ICO Guidance and the latest on the new UK-only Data Protection Bill – and where we should be. The year of GDPR Hopefully, all schools will have by now appointed a compliance lead in this area – whether or not called a ‘Data Protection Officer’ (or DPO: see previous articles and ISBA guidance) – and begun both to raise awareness generally, and get support and buy-in from key staff and management. This ought to have precipitated an audit of whatever appropriate scale to understand what data the school holds, and why (both in the sense of ‘for what purpose’ and ‘on what legal basis’). This step is recommended, and indeed we would say essential, before the school can meaningfully embark on the more tangible outputs of GDPR presentation, such as: ■ creating a new privacy notice (incorporating new GDPR requirements in language appropriate to those it is aimed at); ■ reviewing all relevant policies where data protection has an impact: data protection policy for staff (if separate), retention of records, CCTV / use of images, IT: acceptable use, etc; ■ considering the key contracts the school has that will be affected: from parent contracts to subcontractors and outsourcing; and ■ reviewing forms and consent wording , and indeed giving careful thought to where the school should seek to move away from ‘consent-based’ processing (and identifying where it cannot). These are the outwardly-visible signs of compliance. However, GDPR also requires schools to have internal records demonstrating how compliance and privacy have been considered in major projects or risk areas, for example, fundraising, IT and safeguarding. The school ought to know how to carry out data ‘privacy impact assessments’ (PIAs or DPIAs) for these tricky areas, starting with a general one documenting the outcomes of the audit referred to above. Stay GDPR-savvy GDPR requires schools to keep internal records demonstrating compliance and privacy Carry out and document a ‘legitimate interests assessment’ Don’t let GDPR creep up on you − take positive action now Until the school has carried out these internal assessments and identified where it is relying on grounds such as legitimate interests, rather than seeking consent, it is unlikely to bring much benefit for the school to attempt to draft any of its key policies, forms or the privacy notice itself. To help schools in this lengthy process, ISBA (with Farrer & Co) is providing staggered guidance that was intended both to sit alongside the official guidance of the Information Commissioner’s Office (ICO) and to fill in the gaps where we are still waiting for it. GDPR preparation – what happened to the guidance from the information commissioner? One of the key roles of the ICO is to produce intelligible guidance, both general and sector-specific, to assist organisations (and the public) in getting to grips with the complex and lengthy rules around data protection law. For data controllers such as independent schools, this generally means understanding where the line of compliance will be drawn in practice (and ideally, in good time before it takes effect). 9 @the_isba Spring 2018 Feature