GDPR day (25 May) has come and gone and, much like the Y2K Millennium Bug, apocalyptic fears have not materialised. We have not seen the ICO go on a mission to make early examples of organisations for minor breaches or reach for huge fines. This really shouldn’t come as a surprise. The Information Commissioner, Elizabeth Denham, did her best to reassure organisations that there was no need for a Y2K level of fear. GDPR compliance, she stated, is “an ongoing journey” and an “evolutionary process” for organisations.
So what steps can schools take post-25 May to continue on this GDPR journey? If you have data protection responsibilities, you will know that effective data protection requires ongoing commitment and effort. Schools will need to keep the positive momentum going – perhaps through a working group or a data protection “champion” – so that emerging privacy and security concerns are identified and addressed in the weeks, months and years ahead.
There is an increasing array of resources out there to help schools. ICO guidance is being reviewed and updated like never before; their “Guide to GDPR” is worth keeping a watchful eye on. ISBA also continues to update its GDPR resources and, for instance, a template letter for existing employees is now available. The letter is designed to give staff all the information they need when it comes to GDPR compliance. It signposts staff to the school’s staff privacy notice, relevant staff policies and, importantly, confirms that references to consent in employment contracts are no longer relied on by the school.
Although the GDPR journey has only just begun, there is (and will be) plenty of assistance you can depend on along the way.