Andrew Preston, CEO of de Poel group, comments on the imminent General Data Protection Regulation (GDPR) legislation – and how schools can take steps to prepare for this now:
From 25th May 2018, the 1998 Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR) – completely changing data protection in every single way.
Introduced to keep pace with the modern digital landscape, GDPR is more extensive in scope and application than the current DPA. Therefore, it may be simpler to view – and approach it – as a complete overhaul rather than anything additional ‘on top’ of current legislation. That is because nearly two decades ago – when the DPA was first put in place – data was very different. On every level, whether personal or business, personal data essentially meant names or addresses (both physical and email) and other, more simple identifiers such as gender.
Fast forward to present day and data is everywhere and everything. Most people have a clearer idea of the value of their data, and view it as their data – not the organisation’s they are sharing it with. These days, if you have a Facebook account and receive notification that privacy settings may be changing, far more people will be conscious that this is something that should be checked than ignored – as the personal data ramifications could be huge.
In the same way, today’s educational landscape is heavily shaped, influenced and dependent on data and Management Information – from storing masses of paperwork in filing cabinets to keeping records and databases of staff and pupil information. GDPR – and the root and branch reform it presents – is set to dramatically impact the way in which you manage and store all data and information within your school. How you monitor and manage your temporary supply staffing provision could prove to be a significant part of this.
The education sector is already contending with a myriad of challenges; struggling to align demanding financial targets with unyielding funding cuts, attracting and retaining the best talent, increasing pupil numbers, rising costs and of course, the potential Brexit effect.
Against this backdrop, Schools Week has reported warnings from tech experts 9ine Consulting that schools face having to free up a teacher to work three days every week on EU data protection issues. They also warned that out of-date IT equipment may have to be replaced, at a time when many schools are already struggling to cope with stretched budgets.
With the new GDPR rules, it will be illegal for schools not to have a formal contract with a chosen data processor, and if their chosen processor does not meet minimum industry accreditations. In addition, if schools utilise – knowing or unknowingly – a high-risk approach and use IT equipment that is out of warranty or software that is not up to date, they could fall foul of the new stipulation to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.”
Non-compliance could see organisations face fines of up to 4% of their turnover, or £20 million – whichever was greatest. For schools, there is the further risk that Ofsted ratings could be seriously affected if the correct policies and procedures are not in place, when it comes to data and IT security.
Whilst, at this stage, it is important to note only guidelines have been published, GDPR presents a daunting set of added challenges. As such, the Information Commissioners Office (ICO) is urging educational providers to start thinking about the impact the GDPR will have on them, and to start putting policies and practices into place ahead of the change.
With just ten months until this new legislation comes into force, now is a critical time for schools to seize control, recognise GDPR as the change management exercise it truly is and start taking proactive steps to carefully plan and prepare – ensuring total compliance ahead of the curve.
As your independent, neutral vendor partner in the temporary recruitment process, de Poel will be helping to manage, control and guide GDPR compliance on all aspects of your temporary supply staffing that flow through our contracts.
Our leading technology solution, e-tips®, means that data is housed safely and securely, enabling increased visibility and control and access to real-time Management Information – mitigating risk with regard to GDPR. In addition, e-tips® acts as a centralised booking platform, providing greater candidate availability and thus allowing us to guarantee cover.
This is alongside significant upfront cost savings – typically between 8 and 10% – that schools are realising on their temporary supply cover spend through de Poel. Crucially, our neutral vendor model ensures all of this can be done whilst fulfilling compliance and safeguarding obligations.
With this new legislation on the horizon, we are committed to ensuring our client organisations and agency partners benefit from the very latest thinking on how to manage GDPR in the wider sense. These include:
- Creating awareness and knowledge of GDPR amongst our contract and performance staff;
- Carrying out a data audit of all data that flows through our business;
- Reviewing consents/legitimate reasons to collect this data;
- Setting new Data Retention policies (how long we keep data, depending on the situation;
- Reviewing all existing contracts (including data sharing, any data processor relationships, or where we are a data processor) and passing on appropriate advice, guidance and contractual requirements to our agency partners and clients;
- Carrying out de Poel staff training on new processes, where these are required – and additionally agency partner training;
- Setting policies and procedures for dealing with enhanced rights of individuals;
- Setting a new Data Breach Policy and procedure.
Alongside supporting schools with implementing the above future-proof solutions, we can also offer discounted legal advice from renowned law firm and employment and data protection experts, Irwin Mitchell. For more information, please email firstname.lastname@example.org.