The data protection time bomb in schools

29 Jun 2017

Schools should be preparing for the implementation of the new General Data Protection Regulations (GDPR) in May 2018, which brings massive changes to data protection.

The new regulations are intended to strengthen and unify the safety and security of all data held within an organisation. It will bring new demands and challenges that will impact school resources and ultimately finances.

Unless schools have started preparing for the implementation of the new General Data Protection Regulations (GDPR) in May 2018, which brings massive changes to data protection, they really are sitting on a ticking time bomb.

The new regulations are intended to strengthen and unify the safety and security of all data held within an organisation. It will bring new demands and challenges that will impact school resources and ultimately finances.

As the ‘data controller’ schools are required to observe various principles when processing personal data. Whilst almost all current data protection regulations will remain, there will be significant changes. This will transform the way schools handle data and data breaches, ultimately changing the way they approach and manage information. Failure to demonstrate GDPR compliance can result in huge fines and other penalties.

3rd party school suppliers that process personal data on behalf of schools are ‘data processors’. Under GDPR data controllers and data processors have equal liability in the event of a data breach. Blame can no longer be assigned. In addition, any data processors that schools work with MUST be GDPR compliant. It will become a criminal offence to work with suppliers that are not compliant.

As public bodies, schools are mandated to appoint a data protection officer (DPO). The role of the DPO is to oversee data controllers to ensure that they are complying – the DPO has no liability if the school does not comply. The liability lies squarely on the shoulders of the ‘data controller’ - the school.

The key changes under GDPR that schools need to be aware of, and prepare for, include:

  • Greater focus on accountability – schools must be able to demonstrate compliance
  • Compulsory to have a DPO
  • Mandatory to report data breaches within 72 hours
  • 3rd party data processors must be GDPR compliant, it will be a criminal offence to work with suppliers that do not comply

As with most things in life, preparation is the key!

Download the guide

The Information Commissioners Office (ICO) published a “12 steps to take now” guide for business that our partner GDPR in Schools has adapted for schools.

Visit www.gdpr.school to download the “12 steps to take now for schools” 

Latest news

Filter:

ParentPay CEO announces the launch of award winning business idea ‘iRoundUp’

03 May 2016

Five teenagers from Skinners’ Academy in Hackney, East London are today celebrating at the culmination of an extraordinary year-long journey from classroom to boardroom.

ParentPay Sport Relief Success

21 Mar 2016

ParentPay are the official schools payment partner for Sport Relief and our schools have been collecting thousands of pounds of parent donations online in support of Sport Relief 2016.

Skinners’ iRoundUp students at ParentPay to make it happen

30 Dec 2015

Earlier this year, students from Skinners’ Academy in Hackney pitched their way to business glory by winning the 7th Mosaic Enterprise Challenge Grand Final. Now they’ve started working with ParentPay to make their award winning idea become a reality.

School wins prestigious Enterprise Award with ParentPay inspired idea

14 Oct 2015

High flying students from Skinners’ Academy in Hackney have pitched their way to business glory after winning the 7th Mosaic Enterprise Challenge Grand Final. The result was announced at an event hosted by TV presenter and broadcaster Natasha Kaplinsky in London on 23April.