The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. It has brought higher standards of handling data and determines how people’s personal data is processed and kept safe. GDPR is a piece of EU-wide legislation and schools have a legal duty to comply with the regulation.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which schools already comply with), but strengthens many of the DPA’s principles.
The main changes are:
– Schools must appoint a Data Protection Officer and be able to prove that they are GDPR compliant
– Privacy notices must be in clear and plain language showing the school’s ‘legal basis’ for processing and the individual’s rights in relation to their own data
– Where the school needs an individual’s consent to process data, this consent must be freely given, specific, informed and unambiguous
– Schools will only have a month to comply with subject access requests, and in most cases they cannot charge
– It will be compulsory that all data breaches which are likely to have a detrimental effect on the data subject are reported to the Information Commissioner’s Office within 72 hours.
Please read our privacy notice for pupils explaining how we handle pupil information, what rights you have and how to exercise them and our policies around this.
If you would like to know more about the GDPR and your rights, please visit the UK’s data protection regulator, the Information Commissioner’s Office at www.ico.gov.uk
Should you have any queries regarding the GDPR and our school, please email us at firstname.lastname@example.org