The General Data Protection Regulation is the EU’s tough new privacy and data protection law designed to significantly strengthen all EU citizens' rights and security relating to the data you store about them. This includes students, staff and parent's right to legal action against the school or ‘student information system’ supplier and the right to compensation regarding misuse of their personal data.
Why should I care?
Unlike the current data protection directive, which the GDPR replaces, there are many more legal obligations placed on schools and their suppliers concerning privacy and security which will affect the way your school is run. The penalties for noncompliance are far more severe and unlike the previous data protection directive, enforcement will be actively pursued.
When does it come into effect?
It's already in place but becomes enforceable on May 25th 2018
It seems like a long way off to start worrying now.
It’s a year away but there is quite a lot to do depending on the size of your school and how well you currently manage the security of your student and staff data.
What happens if we do nothing about compliance with GDPR?
The penalty for non compliance is as much as 20 million euros or four percent of annual global turnover, whichever is higher.
If you currently use a supplier that holds and processes your student's data, they will have to formally prove GDPR compliance as a legal requirement. If they fail to do so, you will be obliged to stop using their services.
By Spring 2018 you will likely be required by law to appoint a Data Protection Officer (DPO) or subcontract the services of one. It’s estimated that the appointment of 75 thousand DPOs will be needed in Europe and the US to cope with this requirement.
According to Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells "it would be a huge mistake to ignore the GDPR until it becomes enforceable in 2018"
So, what should I do?
There is a lot to learn! We’re busy understanding the details of GDPR in the context of schools and preparing the MySchool platform & service to ensure full compliance. We'd like to share what we’ve learnt with you.
We’re preparing regular email and blog updates, guides and resources over the next year to help schools prepare for GDPR.