Dispelling Common GDPR Myths – part 1

There is much panic related to the implementation of GDPR in May 2018, yet it is pertinent to note that GDPR came into effect in 2016 and organisations were given 18 months to prepare before the enforcement of the new regulations begins.

Compared to many private organisations, schools are much better placed to address the new regulations. Make no mistake, GDPR is a data protection game-changer and it will bring new demands and challenges that will impact school resources and ultimately finances.

Some of the fear surrounding the GDPR is a result of scaremongering because of misconceptions, an attempt to sell expensive and unnecessary ‘off the shelf’ GDPR solutions or to exploit schools for other gains.

We’re putting together a series of ‘myth busting’ blogs to help clear up some of the confusion in schools.

Let’s dispel our first 5 common GDPR myths

Myth #1 – Schools don’t need a DPO unless they have over 150/250/300 staff

This doesn’t apply to schools. Schools, as public bodies, are required to appoint a DPO, check out our blog on who can be your DPO

Myth #2 – The Head can be our DPO

When appointing a DPO, the school needs to ensure there is no conflict of interests, after all, you cannot mark your own work. We have put together a comprehensive list of roles within a school and the pros and cons of the person in that role being appointed as the DPO – find out who can be your DPO.

Myth #3 – Schools have never been fined so we don’t need to worry

Whilst schools have yet to be fined there are a number who have had to sign Undertakings, a published document noting areas for improvement and a promise of action from the school.

Several schools have also had audits complete with advisory notices. These can be quite damaging to the reputation of the school.

Under the new Regulation, there is a greater emphasis on transparency and accountability, so schools will be more open to challenge from parents, pupils and staff.

Myth #4 – Schools could be fined £20m

The ICO has already explained that the maximum fine (£17m or 4% of turnover) is the maximum, not the target. The ICO have spoken about being pragmatic in their approach with the emphasis on schools making sure that they are well on the way to compliance by the 25th May date. It is a continuing journey, not a hurdle to jump over once.

Myth #5 – This is just going to increase teacher workload

Schools that followed earlier advice from Becta and ICO will find that this is ‘evolution, not revolution’ as the ICO puts it.

Schools that have not taken as much time to integrate existing good practices to comply with the exiting Data Protection Act will have more work to do, but it is not overly onerous. In the same way that H&S and Safeguarding take risk-based approaches, the same happens with data protection.

The emphasis is on knowing what you are doing with data, who with and why. This is no different to a number of existing practices within schools, so it should be reasonably easy to adapt how you work.