GDPR is on its way. If you work within an educational institution, there is no doubt you will have already seen preparations ahead of the impending 2018 deadline. There is a great deal to consider to be certain schools, academies, colleges and universities will meet its requirements. And many will now be well-versed in the potential ramifications of non-compliance, with fines of up to €20m, or 4% of an institution’s annual turnover, regularly being raised to motivate the less eager into action.
But while there is a lot to think about and prepare, there is still time. Questions that need to be answered include what data do we hold and what was its source? Who has access to this data now and who should have privileges to access it in future? How is our data being stored and utilised? And finally, who is going to manage this process? Under the GDPR, you must appoint a Data Protection Officer (DPO) if you are a public authority or body, or carrying out large scale systematic monitoring of individuals. While the interpretation of these criteria is still being debated in some circles, it is nevertheless clear that it would be prudent for any educational establishment to have somebody take responsibility for ensuring compliance.
Who the cap fits
As new technologies are integrated into educational facilities to boost the learning process, a proliferation of data is generated about pupils and staff. Under GDPR, it is essential schools have processes in place to ensure they have complete control of this personally identifiable information (PII). The management of these processes then, would be best placed with one individual [the DPO], who would hold a specialist mix of skills, perhaps comprising operational, IT and security, that until now, haven’t been present or essential within education before.
But against a backdrop of shrinking budgets and increased workloads, the puzzle for most schools, colleges and universities is defining who this might be. The role will, of course, be a time-consuming one. With the threat of considerable fines at stake, it will also carry a weight of responsibility to make sure it is done right. And therein lies the challenge; on the one hand, ever tighter budgets mean the employment of a full-time DPO is a luxury many will not be able to afford; on the other, nominating an individual internally will mean taking time out for training on GDPR compliance and other necessary skills.
And the question remains, who is best placed to take on a DPO role? The two options that have been debated in recent months are headteachers and IT managers, as they would possess the desired business acumen and technical skills required. That said, DPO Guidance (adopted on 5th April 2017) states that those employed in a senior management role are likely to have a ‘conflict of interest’, due to the fact they are involved in the collection and processing of personal data. Both would therefore be unable to fulfil the role; the DPO cannot collect and process data, and ensure its compliance with GDPR.
But that’s not necessarily a bad thing. Neither the headteacher or IT manager would offer the depth of security specialism needed to address the ever-converging worlds of physical and cyber security and the increasing number of attack vectors that could leave a network open to vulnerabilities at the [unintentional] click of a switch.
Going outside to get expertise inside
An outsourced, part-time, DPO could be the answer to access the right mix of skills without the financial burden of a full-time employee. NW Systems’ Data Protection Service provides just that; a tailored service to meet the exacting requirements of every educational institution with answers to the questions you need answered. Hopefully, that means headteachers and IT managers can focus on the incredibly important role of creating an engaging and safe learning environment for our children, while we worry about the rest.
Discover how NW Systems’ expert data protection services can help.