The General Data Protection Regulation (GDPR) came into force in May last year in what was the biggest change to how organisations process personal information in the last 25 years.
The GDPR rules apply to all businesses and organisations, including schools, that use personal data and require them to be more transparent in how this data is used and processed.
Among the requirements, schools must have the proper opted-in consent in order to hold people’s data, while GDPR also gives people increased rights to access the data organisations hold about them.
GDPR contained new provisions intended to enhance the protection of children’s personal data. This included privacy notices for children, which must be written in a clear, plain way that a child will understand.
The survey was undertaken by RM Education and Trend Micro in November 2018 and involved 156 schools and colleges, of which only 48 per cent said they were fully GDPR-compliant.
Respondents to the survey included IT managers, data protection officers (DPOs), school leaders and governors. Of those surveyed, 97 per cent said they had updated their policies in accordance with GDPR, 89 per cent had increased staff training, 85 per cent had hired a DPO as required under the legislation, and 83 per cent carried out a data audit including of their third-party systems, which are also covered by GDPR.
However, reasons given for their lack of compliance included the problems they faced with legacy systems (23 per cent), issues with data security (46 per cent) and a lack of financial investment (31 per cent).
The biggest threat was considered to be accidental data loss by staff (75 per cent) followed by cyber criminals (19 per cent).
The survey also highlights confusion in terms of roles and responsibilities. Sixty per cent of those surveyed said final responsibility for GDPR sits with the headteacher, 42 per cent said the responsibility also sits with the DPO while 31 per cent named the head of IT.
However, Steve Forbes from RM Education, said that GDPR compliance does not sit with one role alone, rather the responsibility for compliance is shared.
He explained: “A DPO is tasked with monitoring GDPR compliance and other data protection laws and policies, awareness-raising, training, and audits. However, as in all other organisations, responsibility for compliance within a school must be a shared responsibility and this relies on a whole school approach.”
- The Information Commissioner’s Office has published a range of information to support schools in meeting GDPR requirements. Visit https://ico.org.uk/for-organisations/in-your-sector/education/
- The SecEd Guide To Getting GDPR right (June 2018) is available to download for free, via www.sec-ed.co.uk/knowledge-bank/guide-to-gdpr