If, like many of us, you have spent the past few weeks being bombarded by information about GDPR and trying to make sense of the avalanche of websites, factsheets and webinars out there, fear not for help is at hand! Adele Gladman of Safeguarding Children Training and Consultancy Ltd is running a GDPR briefing event for schools on 5 June in Barnsley. In this article, she also tells us how to make sense of GDPR, explores some of the myths, considers what it means for safeguarding children, and give us 5 steps to follow to make GDPR a straightforward process.
What is GDPR?
GDPR (General Data Protection Regulations) is a new set of EU guidelines governing how organisations like schools handle personal data. The new regulations have replaced the current Data Protection Act and will be legally enforced from 25 May 2018.
Before we start, let’s be clear – GDPR is a good thing (although it might not feel like it at the moment!) and is for our benefit as individuals and as organisations. You might have already found that a lot of GDPR is very similar to what you are already doing, or that thinking about it has resulted in improvements to the processes and practices in your school.
So, let’s explore some of the common myths out there:
Individuals have an absolute right to be forgotten
Organisations can process data if it remains necessary according to the purpose for which it was collected. Only when this is no longer the case, the individual has a ‘right to be forgotten.’ (Article 6, 9 and 17).
GDPR won’t be relevant once we have left the EU
In England the GDPR are contained in the Data Protection Bill and will be law in the country, irrespective of our relationship with the EU.
Schools don’t need data processing agreements with processors because the GDPR imposes direct obligations on processors themselves
Schools must have an individual data processing agreement for each contract as GDPR places a duty on Data Controllers to be able to show compliance with each data processor they have contact with.
If you have consent, you don’t need to seek it again
Under GDPR, consent must be freely given, specific, informed and unambiguous, and a positive affirmation of the individual’s agreement. Data must only be used for the purposes that consent has been given. Your existing consents may not be specific enough.
It’s nothing to worry about. The ICO is only after big corporations
The ICO has recruited new compliance teams in readiness for the deadline on 25 May. Are you really going to put that to the test? And what if a parent makes a complaint?
So here are our top 5 tips for being GDPR compliant:
What about safeguarding?
Ahead of 25 May, people are already worrying that they will not be able to record or share information about safeguarding concerns. The most recent draft of the Data Protection Bill means that schools will have lawful grounds for the processing and sharing of information relating to safeguarding concerns without having to seek consent from the child or family, providing the circumstances are justified.
For the data to fall into this ‘special category’ it must be of substantial public interest and be necessary for: –
This applies to both children under 18 and adults at risk.
Recording and sharing information in safeguarding cases is therefore permissible, although there are some additional things to consider, such as evidencing how sharing the information without consent was in the child’s best interests.
If you want to know more about this, or any other aspects of safeguarding, please get in touch. We would love to hear from you. And please come along to our event on 5 June. To book go to: https://bit.ly/2kmp2Kn
But don’t delay, limited places available