Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

Schools share the challenges of achieving compliance with GDPR

Schools share the challenges of achieving compliance with GDPR

At a recent webinar on ‘Practical Insights on the GDPR for schools’, Arena’s Neil Maude shared some of the most relevant features of the new data protection regulation for schools, the potential impacts, and next steps. This was followed with a survey to understand the state of play for education on individual schools’ journeys towards the May 2018 deadline which has elicited some interesting insights.

For example, Neil outlined the case for appointing a data protection officer (DPO) within schools which comes from the Information Commissioner’s (ICO) requirement for a DPO in place for all public organisations. This would seem to include schools. However, whilst a school’s DPO would need the right expertise and time to do their job effectively, did you know that a DPO could be shared between a number of schools e.g. per Trust or alliance?

The schools we survey were split 50:50 on whether they had a DPO in place or not, so there’s clearly some work to be done there to appoint and bring the right person up to speed ahead of the deadline for many.

Perhaps one determining factor limiting progress is awareness and buy in from school leadership. Arena finds that process change in any type of organisation, commercial or public, needs high-level sponsorship to ensure action and adoption. However, our survey suggests that most school leadership teams DO have the GDPR on their radar. In reality, the biggest challenges to change are far more diverse and specific to each organisation. One respondent identified that “Making staff follow all guide lines” was their biggest challenge. Whilst another similarly felt that “Changing the mindset of keeping information "just in case" and where that "just in case" information is stored” was critical to successful roll out of new ways of working. Another cited “Getting people to act” was theirs. “Systems are there but what about paper on people's desks?”

In terms of systems and technology, all respondents still keep student records in filing cabinets, with 75% utilising secure paper archiving and over 10% still using unsecured paper archiving. Unsecure storage of personal data is a red flag even for current data protection regulations, and whilst a majority have secure storage, the challenge occurs when trying to access records. With the anticipated rise in requests relating to personal data expected, Neil urges schools to try a mock subject access or right to be forgotten request to test out how efficiently and effectively this request can be fulfilled to meet the more stringent requirements under the GDPR. This is where digitising paper records such as student and HR records really starts to make commercial sense to a school with the cost of time lost adding to the print, storage and risk of financial penalties.

Notably in our survey, over 37% had received a SAR or freedom of information request in the previous year. Time will tell whether the increased awareness generated by more mainstream coverage of the GPDR around the May 2018 deadline, the new right to be forgotten opportunities and removal of a £10 charge for SARs will result in more frequent requests. But also bear in mind that the ICO is looking for evidence of processes in place, as well as the potential impact on your team of dealing with requests, particularly if your paper filing and archiving is not easily searchable.

The challenge of working with paper rather than an electronic document records management system (EDRMS) like Arena’s mstore  is throwing up other problems for survey respondents with “Dealing with paper records" being the key stumbling block for one school and, “ Going through all the historic paper making sure that we follow the destruction policies,” a principle issue for another. Systems such as mstore remove most of these difficulties, putting documents at people’s finger tips and automating the management and destruction of disparate retention requirements for each document.

Surprisingly, around 50% of respondents did not know, or had no or only partial security in place around their printers and photocopiers. With multiple devices easily accessible by the school community and visitors, the impact of a breach by sending sensitive information to a remote printer and accessing the school’s IT infrastructure via the device’s USB port is unthinkable. As Neil suggested in the webinar, "Your provider is doing you a disservice if they have not advised you to at least ensure that follow-me-printing is in place at your school.”

Despite the challenges that schools are facing around compliance with the GDPR, the schools we surveyed felt on average that they would become over 70% ready by the time the GDPR deadline comes around in May. If you have still to take your first steps, you need a refresher, or you’re still trying to work out the detail, you can view Neil’s webinar here.

Find out more about mstore for education and access other resources from this website.



Expert News | Events | Blog

View all news

© 2018 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.