GDPR – Top 3 Facts

3 good reasons to stop burying your head in the sand!

So many organisations, schools included, have spent a long time since the GDPR was introduced in May 2018 with their heads buried in the sand. Recent developments in the data protection arena show that it is the time to stop burying your head in the sand and put compliance at the top of your ‘to do’ list. Here are our GDPR top 3 facts that you may not know:

FACT 1 – 364 schools across 10 MATs have been audited

Many schools have been ambling along, safe in the knowledge that it’s only MATs that have been audited by ICO so far but that’s not true. The schools in those MATs have had the ICO auditors visit too and it’s only a matter of time before they turn their attention to non-trust schools. Trusts audited must demonstrate that they understand fully, and are continuing to, improve their Information Governance. It can no longer be a few individuals driving this. Data protection must be a strategic part of all aspects of a school’s and trust culture with privacy and risk assessment being driven by the Trust managers, Senior leaders and key staff within each of their schools.

FACT 2 – Evidence, Evidence, Evidence, the common theme of ICO audits

Reviewing all the recent ICO reports on MAT audits has highlighted some key messages for schools. There are no ‘excellent’ in the reports. Many schools are beginning their journey far back from where they should be today, in spite of GDPR being in place for over 18 months now. In general, a lack of action has created gaps, and these are getting wider as technology advances and decisions cannot be justified or evidence provided. The key message coming out of ICO audits is “don’t just tell us what you’re doing to protect personal data, prove it – show us the evidence of what you say you are doing.”

FACT 3 – ICO have started to fine schools for non-payment of registration fees

We’ve all talked about when ICO would finally fine a school for doing something wrong. It’s now happened and it’s not for breaches that we see the first fines, but for non-payment of the data protection fee. 18 education establishments have recently been fined for non-payment of their ICO registration fee, a basic requirement of compliance. It doesn’t take long to register and pay the fee. However, for some schools now a £40 fee has cost them £400; money that should be spent on teaching and learning. It takes minutes to register and pay. Please ensure that your registration is up to date immediately, or you risk joining the growing number of schools that are being fined.

Although you are Public Authorities, schools and trusts are still required to pay the fee and register the name of their DPO. Trusts should also remember that they register once on behalf of all their schools, with the school names as ‘also trading as’ in the registration. As schools join or leave your trust, your records should be kept up to date, and ICO should be informed.

Whilst data protection is only one aspect of everything that is part of school life, it is an important building block for safeguarding your staff, your children and the wider community. Actions taken to close those gaps are now essential, and GDPR in Schools provides tools and support to reduce the pain and ease the culture change in your school, from role-based training videos through to complete DPO services.