The data protection time bomb in schools

29 Jun 2017

Schools should be preparing for the implementation of the new General Data Protection Regulations (GDPR) in May 2018, which brings massive changes to data protection.

The new regulations are intended to strengthen and unify the safety and security of all data held within an organisation. It will bring new demands and challenges that will impact school resources and ultimately finances.

Unless schools have started preparing for the implementation of the new General Data Protection Regulations (GDPR) in May 2018, which brings massive changes to data protection, they really are sitting on a ticking time bomb.

The new regulations are intended to strengthen and unify the safety and security of all data held within an organisation. It will bring new demands and challenges that will impact school resources and ultimately finances.

As the ‘data controller’ schools are required to observe various principles when processing personal data. Whilst almost all current data protection regulations will remain, there will be significant changes. This will transform the way schools handle data and data breaches, ultimately changing the way they approach and manage information. Failure to demonstrate GDPR compliance can result in huge fines and other penalties.

3rd party school suppliers that process personal data on behalf of schools are ‘data processors’. Under GDPR data controllers and data processors have equal liability in the event of a data breach. Blame can no longer be assigned. In addition, any data processors that schools work with MUST be GDPR compliant. It will become a criminal offence to work with suppliers that are not compliant.

As public bodies, schools are mandated to appoint a data protection officer (DPO). The role of the DPO is to oversee data controllers to ensure that they are complying – the DPO has no liability if the school does not comply. The liability lies squarely on the shoulders of the ‘data controller’ - the school.

The key changes under GDPR that schools need to be aware of, and prepare for, include:

  • Greater focus on accountability – schools must be able to demonstrate compliance
  • Compulsory to have a DPO
  • Mandatory to report data breaches within 72 hours
  • 3rd party data processors must be GDPR compliant, it will be a criminal offence to work with suppliers that do not comply

As with most things in life, preparation is the key!

Download the guide

The Information Commissioners Office (ICO) published a “12 steps to take now” guide for business that our partner GDPR in Schools has adapted for schools.

Visit www.gdpr.school to download the “12 steps to take now for schools” 

Latest news

Filter:

The Sunday Times Interview with ParentPay CEO

22 Nov 2016

Clint Wilson, CEO talks to The Sunday Times about his life and ParentPay.

iRoundUp launches on ParentPay

08 Nov 2016

The award-winning charity fundraising idea, iRoundUp, developed by students during a national entrepreneurship competition from Mosaic, The Prince’s Trust mentoring charity, enables parents to add a donation whilst paying on ParentPay

ParentPay CEO opens new ‘Belief’ classroom

26 Sep 2016

Since 2015, ParentPay have been proud supporters of The Memusi Foundation, a charity that builds schools in Sub-Saharan Africa, working to help children to escape poverty in their lifetime through education.

ParentPay announces three-year patronage of Mosaic at Enterprise Challenge grand final

06 May 2016

ParentPay, the UK’s market leading online payment service for schools and families has announced that it is commencing a three-year patronage of Mosaic.