1. Neil outlined the case for appointing a data protection officer (DPO) within schools, which comes from the Information Commissioner’s (ICO) requirement for a DPO in place for all public organisations. This would seem to include schools. However, whilst a school’s DPO would need the right expertise and time to do their job effectively, did you know that a DPO could be shared between a number of schools, eg per Trust or alliance? The schools we survey were split 50/50 on whether they had a DPO in place or not. Therefore, for many schools there’s clearly some work to be done when it comes to appointing and bring the right person up to speed ahead of the deadline.
2. Perhaps one determining factor limiting progress is awareness and buy-in from school leadership. Arena finds that process change in any type of organisation, commercial or public, needs high-level sponsorship to ensure action and adoption. However, our survey suggests that most school leadership teams do have the GDPR on their radar. In reality, the biggest challenges to change are far more diverse and specific to each organisation. One respondent identified that “Making staff follow all guidelines” was their biggest challenge. Another similarly felt that “Changing the mindset of keeping information ‘just in case’ and where that ‘just in case’ information is stored” was critical to successful roll-out of new ways of working. One school leader cited “Getting people to act” was theirs: “Systems are there, but what about paper on people's desks?”
3. In terms of systems and technology, all respondents still keep student records in filing cabinets, with 75% utilising secure paper archiving and over 10% still using unsecured paper archiving. Unsecure storage of personal data is a red flag even for current data protection regulations, and whilst a majority have secure storage, the challenge occurs when trying to access records. With the anticipated rise in requests relating to personal data expected, Neil urges schools to try a mock subject access or a ‘right to be forgotten’ request to test out how efficiently and effectively this request can be fulfilled to meet the more stringent requirements under the GDPR. This is where digitising paper records such as student and HR records really starts to make commercial sense to a school, with the cost of time lost adding to the print, storage and risk of financial penalties.
Remember, there is no single off-the-shelf solution that will ensure schools achieve compliance with the GDPR. Neil describes in the webinar how you need a combination of “people, process and technology”. You can read more about the survey responses and access Neil’s webinar by visiting www.arenagroup.net/education.
Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!