If you haven’t heard about the GDPR (General Data Protection Regulation) it is probably going to come up in a conversation soon. In this post we will try to go over the basics of what the GDPR is and how it may affect you and your school.
What is the GDPR?
The EU is bringing in a regulation which is designed to give back control of data to individuals and strengthen data protection. This is a move which is attempting to address the issue of who owns that data that is placed on the servers (and in hard copies) of companies/organisations.
This regulation affects any company/organisation which handles data of EU citizens. So it doesn’t matter if the company hosting the data is located outside the EU, they still need to comply with this law.
To give an example (thinking big picture) the regulation means that an EU citizen can go to a large tech company (Facebook, Google, etc) and ask for them give them their data and/or remove it from their system.
The GDPR is based on six principles (p.35) relating to the processing of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity & confidentiality
The regulation ensures individual rights concerning their data such as but not limited to:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
What sort of data does this regulation cover?
This regulation applies to all data that is collected, processed and stored by your school. That could include data stored on servers, databases, websites and paper records. This will also extend to data stored by external vendors or third party services, be it curricular resources or a product that is used by your school’s business office.
When does it come into place?
The regulation comes into effect on 25 May 2018.
What does it mean for my school?
Complying with the GDPR is going to be a challenge for all organisations but is going to be especially challenging for schools. Compared to a large corporations, schools have limited resources and we handle large volumes of highly sensitive information on students and faculty. There are some useful resources out there (see below) and even some consultancy groups who are helping guide schools through the process.
What happens if you don’t comply?
The EU has placed large fines for non-compliance – up to 20 million Euro or 4% of global turnover (whichever is more).
What are other schools doing about this?
The International School of Brussels has initiated a working group for schools to share resources and build understanding. If you are interested in participating, complete this short survey to in touch.
Further information and resources
- GDPR in School – click here
- GDPR Summary from 9ine – click here
- Another blog post about the GDPR – click here
This post was written in collaboration with Mark Dilworth