tips for implementing the gdpr - ISBL

LEGAL

TIPS FOR IMPLEMENTING THE GDPR

Daljit Kaur

Over the past few months, there has been a lot of concern about the looming implementation date for the General Data Protection Regulation (GDPR), which will be operational from 25 May 2018. Organisations have been warned that they need to be prepared and ensure they are compliant before that date. Daljit Kaur, Associate at Browne Jacobson, explains.

The question being asked is, are the new legal requirements concerning data protection really all about change or should schools carry on doing what they are doing? The answer is yes and no. The main concepts and principles remain the same, but new elements within the GDPR enhance the provisions under the current Data Protection Act (which will be abolished and eventually replaced by a new Act). As with any process, there are three main stages to focus on: familiarisation, planning and preparation, and implementation. Some general tips for each of these stages are set out below:

Familiarisation Before preparation for compliance with the GDPR can commence, schools should ensure that they are fully aware of what is required. Reading the GDPR alone can cause confusion: for example, there are a number of derogations within the GDPR that permit member states to implement a slight alteration to what has been suggested by the GDPR. The Government has, as stated above, issued a Data Protection Bill, which is currently in draft form and, therefore, needs to be considered with caution. Given the above, the best place to start for information concerning the GDPR is with the Information Commissioner’s Office (ICO), which has been confirmed as the regulatory body for the purposes of the GDPR in the UK. The ICO’s website (https://ico.org.uk/fororganisations/data-protection-reform/) sets out useful information including a general overview about the GDPR and the 12 steps it considers you should be taking now.

Planning and preparation Whilst schools already have responsibilities under the Data Protection Act 1998, GDPR imposes new requirements – for example the appointment of a Data Protection Officer (DPO) and notification

“New elements within the GDPR enhance the provisions under the current Data Protection Act.”

isbl.org.uk

of personal data breaches – and provides new rights to individuals. Accordingly, you will need to plan and commence steps to ensure you have all processes, policies and training in place before 25 May 2018. Failure to be compliant with the GDPR requirements by this date may result in a fine. Transparency and accountability is a major theme of GDPR, so you should consider what steps you need to take that evidence your compliance. Three initial steps you can take now to prepare are set out below:

Step one: Information Audit/Data Mapping Exercise

Under the GDPR, organisations are required to maintain a record of processing activities. By undertaking an information audit, you can begin to understand what personal data the school is holding, the reason(s) for holding it, and how and why the school is processing it. This exercise can then enable you to consider what the risks are to your school in terms of non-compliance, for example: • are you holding excessive personal data or holding it over an excessive period? • are you processing data without consent? • do your policies and procedures cover the various processing you undertake? • is the personal data held securely by the school?

THE VOICE | ISSUE 17 | SPRING 2018

41

LEGAL

The audit should include – amongst other things – the purposes of processing; a description of the categories of data subjects and the categories of personal data; categories of recipients to whom the personal data will be disclosed; and, where possible, the time limits for erasure of the different categories of data. If these are covered, the audit could then be used as the school’s record of processing activities.

• monitoring compliance with GDPR and other legal data protection requirements, including the school’s policies relating to the same • raising awareness and training staff • related audits • advising on data protection impact assessments, and • being the contact point for, and co-operating with, the ICO.

Step two: Data Protection Officer

The DPO can be an existing staff member (provided there is no conflict of interest) and s/he will report to the highest level of management in your organisation.

As a public authority, schools (which includes maintained schools and academies) will require a DPO (although a group of schools, for example a multi-academy trust, can appoint a single DPO). Consider carefully who your DPO will be because they will be responsible for data protection compliance. They should have an expert knowledge of data protection law and practice because their responsibilities will include: • informing and advising the school and its employees about data protection requirements

Step three: Policies and Procedures

A detailed review of the school’s policies and procedures should be undertaken, including privacy notices, consent forms and contracts with third parties that are processing personal data for the school. Individuals have new rights, which will require changes to your policies and processes covering the following: • General individual’s rights – these have been enhanced to include additional requirements concerning consent; the right to rectification (inaccurate data being corrected); and the right to erasure (be forgotten) in appropriate circumstances • Subject access requests – you will be unable to charge for the majority of these requests and will have one month instead of 40 days to comply, and • Privacy notices – need to be written in a clear, plain way that a child can understand.

Implementation

THE GDPR COMES INTO FORCE ON

25 MAY 2018 YOU WILL HAVE

72 HOURS

TO REPORT A PERSONAL DATA BREACH YOU WILL HAVE

1 MONTH

TO COMPLY WITH SUBJECT ACCESS REQUESTS

Following completion of the above, staff should be informed about, and trained on, the changes the school has made to ensure compliance with the GDPR. Staff should be aware and have access to the DPO. They should also be aware of how and when they can process information and the school’s procedures for any personal data breach (which the school may need to report to the ICO within 72 hours). Your preparation for GDPR implementation is key and, as stated above, should include a detailed audit and/or review. Failure to comply could result in an investigation by the ICO and possible enforcement action, which could include a fine or legal action.

isbl.org.uk

THE VOICE | ISSUE 17 | SPRING 2018 43