GDPR 2018 COMPLIANCE- General Data Protection 2018 for Schools –

What is GDPR?

The EU General Data Protection Regulation (GDPR) will take effect across the European Union (EU) on 25 May 2018, when it supersedes the 28 current national data protection laws based on the 1995 Data Protection Directive (DPD). The UK will adopt GDPR and it will remain legislation post BREXIT.

Why does GDPR exist?

Introduced to keep pace with the modern digital landscape, the purpose of the new Regulation is twofold:

  1. to improve consumer confidence in organisations that hold and process their personal data by reinforcing their privacy and security rights consistently across the EU, and
  2. to simplify the free flow of personal data in the EU through a coherent and consistent data protection framework across the member states.

What has changed?

The current Data Protection Directive (officially Directive 95/46/EC) defines an individual’s consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” The standards for lawful consent have now been raised under the GDPR. On 25th May 2018, the new EU regulation (GDPR), aims to give citizens control of their personal data and to simplify the regulatory environment for internal businesses by unifying the regulation within the EU. Personal data must be collected for specified, explicit and legitimate purposes relative to the purposes for which they are processed.

With regards to ‘sign-up’, a few things have changed:

  1. Indication of consent must be unambiguous and involve a clear affirmative action.
  2. Consent should be separate from other terms and conditions. It should not be a precondition of

signing up to a service.

  1. The GDPR specifically bans pre-ticked opt-in boxes.
  2. It requires granular consent for distinct processing operations.
  3. The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

Consent under the GDPR must be “freely given, specific, informed and unambiguous consent; which informs subscribers about the brand that’s collecting the consent and provide information about the purposes of collecting personal data,” according to the Information Commissioner’s Office (ICO) circa May 2017.

Why does it matter?

Contact without consent results in bad customer experiences. You must earn the right to market to customers. But it isn’t just for your customer’s benefit – gaining proper consent will put your

audience in control, build customer trust and engagement and enhance your reputation. Relying on inappropriate or invalid consent can destroy trust and harm your reputation – and may leave you open to substantial fines. Failure to comply with the GDPR by May 2018 can lead to stiff penalties from the ICO. The first is a maximum fine of up to €10 million or 2% of your global turnover, whichever is higher. The second is a maximum fine of up to €20 million or 4% of your global turnover, whichever is higher.

We know that the ICO has been working hard behind the scenes to identify organisations that are not complying with the new regulations. Some brands have already made unfortunate mistakes resulting in huge fines for their organisations. Let’s take a quick look at what has happened.

                    [Related: –> ]

Data breach notification and penalties

The increase in high-profile cyber-attacks is reflected in the enhanced data security obligations in the Regulation and the parallel obligations in the Network and Information Security Directive. It will be mandatory for an organisation to report any data breach to its supervisory authority within 72 hours of becoming aware of it. If that requirement is not met, the eventual report must be accompanied by an explanation for the delay.

The notification must include specific information, including a description of the measures being taken to address the breach and mitigate its possible side effects. Where the breach may result in a high risk to the rights and freedoms of data subjects, the data subjects themselves must be contacted “without undue delay”. This contact will not be necessary if appropriate protective measures – essentially encryption – are in place to eliminate danger to data subjects.

Any infringements of the new Regulation are subject to a tiered financial penalty regime with fines of up to 4% of annual global turnover or €20 million, whichever is the greater.

Key GDPR terms

Data controller (organisation) means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

Data processor (service providers) means “a person, public authority, agency or other body which processes personal data on behalf of the controller”. An example is a Cloud provider that offers data storage.

Data subject (individual) means an identifiable natural person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.

Personal data means “any information relating to an identified or identifiable natural person (‘data subject’)”. The Regulation states this also includes online identifiers such as IP addresses and cookies.

Data protection officer

Many organisations will be required to appoint a data protection officer (DPO) to be responsible for monitoring compliance with the Regulation, providing information and advice, and liaising with the supervisory authority.

A DPO must be appointed in schools as the processing is carried out by a public authority

Route to compliance

Next Steps:

An important next step will, for most organisations, be to gain clarity on their personal data processing, and includes identifying:

  • What personal data is held across the organisation
  • What permissions have been obtained for that data
  • What processes and systems are in place for handling personal data
  • Where personal data is transferred outside the organisation (including third parties and cross-border)
  • How personal data is secured throughout its lifecycle

Customer Journey:


Need further help for your school?

We’ve got it covered! Our dedicated team at Joskos has put together a FREE checklist for you to ensure you are GDPR compliant. Simply click below and follow the simple steps.

Would you prefer to speak with one of our EdTech Specialists direct?

0845 37 000 38

Send us a quick enquiry...

Call one of our friendly team members today!

Alternatively you can send us an email and we’ll get back to you shortly