Other pages in this section 

• Data Governance - Documents and Guidance
• Data Governance - GDPR Language 

Data Protection regulations

The General Data Protection Regulation (GDPR) came into force on 25th May 2018. After our exit from the EU it was adopted into UK law and is no The UK GDPR. Along with the Data Protection Act 2018, (enacted 23rd May 2018) this represents the first major shake up of Data Protection Legislation for 20 years. The world has changed and the new laws reflect this. 

The DPA 2018 repeals the DPA 1998 and sits alongside the General Data Protection Regulation (GDPR). The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR. 

The principles of Data Protection are similar to those under the DPA 1998 but are developed and enhanced for the 21st Century. 

There are new and enhanced rights for individuals under the GDPR, designed to give citizens more control of their personal data. 

The main difference though, is the principle of accountability. Under principle 5(2) the Data Controller (School) must be able to prove they are compliant with the GDPR.  

Schools must be able to prove that they have appropriate measures in place to reduce the risk of data loss. 

Schools wishing to comply with the data protections regulations are advised to sign up for the Data Protection Officer Service Level agreement.  

"GDPR is an evolution in data protection, not a burdensome revolution" Information Commissioner’s Office 

Summary of schools’ responsibilities

Data breach notification

Breaches need to be reported to the ICO within 72 hours where this is feasible, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual. 

Abolishing processing notifications

The ICO have abolished the Register of Data Controllers and replaced it with a register of fee payers. (The fee stands at £40 to £60 depending on the size of the school) Check your registration here. 

Data Protection Impact Assessments

Schools must undertake a data protection impact assessment (DPIA) on data processing which presents high risks. This is part of a new approach to Data Protection - "Data Protection by Design" 

When do we need to conduct a DPIA? 

If you are doing something new with the data you already hold or if you have are buying a new system that will hold people's personal information. 

Data processing in contracts

Any contracts that do not contain the necessary provisions will need to be amended.  

Data protection officers:  

Maintained schools (and other qualifying schools) must designate a data protection officer. See SLA section for Merton DPO 

Administrative sanctions

A new range of administrative sanctions . Penalties of up to £17m (€20m) or 4% of global turnover. 

Steps to becoming compliant

Step 1: Raising awareness 

Step 2: Creating a high level data map 

Step 3: Turn your data map into a data asset register 

Step 4: Documenting the reasons for processing data 

Step 5: Documenting how long you need to retain information 

Step 6: Reassurance and risks 

Step 7: Decide on your Data Protection Officer role 

Step 8: Communicate with data subjects  

Step 9: Operationalise Data Protection, and keep it living 

UK-GDPR’s six principles

The GDPR can be summarised as six principles of how schools should use personal data. 

• Personal data should be:
• Processed fairly, lawfully and in a transparent manner
• Used for specified, explicit and legitimate purposes
• Used in a way that is adequate, relevant and limited
• Accurate and kept up to date
• Kept no longer than is necessary
• Processed in a manner that ensures appropriate security of the data. 

Individual Rights Under the GDPR

The GDPR strengthens the rights of individuals to personal data including the: 

• Right to be informed (concise, clear and free)
• Right of access (faster response times for SARs/free)
• Right to rectification (faster response times/3rd parties)
• Right to erasure (faster response times/3rd parties)
• Right to restrict processing
• Right to data portability (automated processing only)
• Right to object; and
• Rights to automated decision making and profiling.

Schools will need to be prepared to deal with people exercising their new and enhanced rights. Schools will now have one calendar month to deal with the above requests.  

What is a calendar month?

A calendar month starts on the day after a school receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month. 

How does this affect us?

Senior leadership

In the same way that safeguarding is a school-wide priority normally led by one of the senior leadership team, it is recommended that data protection follows the same approach. 

All staff

With such a major emphasis of evidencing compliance, it’s important that schools can also demonstrate that the whole school is on board when it comes to data protection. 

Staff training

Staff awareness training is available as part of your DPO SLA. Please contact: derek.crabtree@merton.gov.uk

Training Videos and CPD for Staff is available from your GDPRis Portal. 

GDPRIS

All schools signed up to the Merton DPO SLA now have access to GDPRIS  where you can start to record your compliance details.  

GDPRis login page