Disappointment over DfE’s failure to help academies get to grips with GDPR

Experts have called on the Department for Education (DfE) to do more to help schools comply with the new data protection act.

The General Data Protection Regulation (GDPR) came into force on 25 May, affecting all public and private sector institutions and how they handle data.

But Geoff Barton, the General Secretary of the Association of School and College Leaders, said he has been disappointed with the department’s input on this issue.

Likewise, Head Teacher Robin Bevan said he has been forced to pay £200 to hire a data consultant to train staff.

“It all seems quite small-scale until you do that calculation: with 20,000 schools at £200 a time, suddenly £4 million of public money has been spent simply because the DfE failed to publish a simple booklet of advice for schools,” he said.

A Government spokesperson said the DfE “is working with a number of schools and other sector representatives to develop further guidance and case studies to help schools prepare for the introduction of the upcoming legislation.”

So, what is the GDPR?

The key differences are seen in how personal data is stored and used. For example, schools are now forced to maintain records of ‘consent’ and students and other data subjects have been gifted the right to be ‘forgotten’.

All ‘personal’ data is protected by the GDPR. That includes online and offline identifiers, such as IP addresses and phone numbers. As a general rule of thumb, any information which fell within the scope of the DPA now falls within the scope of the GDPR.

The other key difference is in the penalties for organisations which fail to proactively protect student data.

Under the new regime, the Information Commissioner’s Office (ICO) can issue fines of up to four per cent of global turnover, or 20 million euros, whichever is higher.

Comparatively, current rules mean the ICO has the power to charge a maximum of £500,000.

From staff blunders to cyber-attacks, a potential data breach can happen at every level of your school. That’s why preparation and due-diligence will be your first line of defence in protecting your students’ data.

The GDPR is arguably one of the most significant changes in corporate law in the last decade, meaning that, where possible, academy leaders will need to put in place measures to protect student data before the May deadline.

At The Fish Partnership, we understand the day-to-day challenges schools and academies face. We can help your academy with a wide variety of tax and financial matters. To find out more, please contact us.