You have probably seen and heard an enormous amount of news, rumour, commercial offers, and of course emails! about the General Data Protection Regulation which took effect in the European Union on 25 May 2018.

This video from the Wall Street Journal explains how GDPR could affect you, even if you don’t live in the EU.

John Mikton, a well known figure in the IB Tech community, has written a very helpful review of the effects of GDPR on schools: Privacy: General Data Protection Regulation (GDPR and European International Schools.

“The GDPR requires European International Schools to ensure that all schoolwide processes, producers, and policies with personal data of staff, faculty, parents and students are complaint with the GDPR regulation…There are three areas that European International Schools have to focus on for the GDPR: Governance, Data Protection and Cyber Security. Schools need to show that they are working toward compliance in all three areas and ensure that any personal data they process is handled and stored securely. The focus is on mitigating the risk of personal data not being properly safeguarded…The GDPR extends to those organizations, companies, and services which European International Schools use for different services or resources in and outside of school.”  I urge you to read the whole article.

In this video, Iain Bradley from Britain’s DfE explains how schools can review and improve their handling of personal data.

This page from the Irish Tech News offers a helpful list of practical steps, and examples of processes the author has been involved in. Read the whole article for more details and examples. Here are the main areas needing your attention:

  1. Map the current flow of personal data: review and document all data processing activities.
  2. Assess risks: review the risk that all data processing activities pose for data subjects.
  3. Changes required: it’s important to note that if your work involves the processing of data from children, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
  4. External providers: identify joint controllers, processors and sub-processors, and create instructions on how data should be handled e.g. health insurers or outsourced payroll.
  5. Policy documents: create a publicly available data protection policy.
  6. Training: ensure all your staff are adequately trained and understand their obligations under GDPR for personal data.
  7.  Ongoing audits: you should create a procedure that assesses the risk when anything in your business changes that means you will be requesting personal data, and that the GDPR principles are always adhered to in any new development.

Another good source of information come from TES: GDPR for international schools: how is your school affected? “International schools will need to comply with GDPR in the same way a school in the EU would”, explains Mark Orchison, managing director at 9ine Consulting. “They have the same obligations as any school within the EU so as long as they are processing the data of EU nationals, which most international schools will be,” says Orchison. “They have to put in place the same protections as any other school or any other organisation that sits within the EU and that’s under article three of the regulation.”

Orchison gives an example of student exchange: “If I am a school in Kenya and the kids from my school go to a school in France on a school trip, or vice versa, the school in France is going to ask me how I’m compliant with the regulation. If I am not compliant they can’t share the data of the children who are coming on the school trip with me. Therefore, the school trip can’t happen.”

A link at the bottom of the TES page will take you to the ICO Data Assessment Self Assessment Checklist.

This video by GDPRiS (a commercial data management system for education) gives a visual demonstration of how important data mapping is to give schools a clear view of their school data eco-system. (You might want to mute this video when you watch!)