From 25 May 2018 the Data Protection Act 1998 (DPA) will be replaced by the new more stringent General Data Protection Regulation (GDPR). All governing boards need to be aware of their obligations under the new regulations and will be required to show compliance with the GDPR. The key changes introduced by the GDPR include the following:
- it will be mandatory for schools to appoint a designated data protection officer;
- non-compliance will see tough penalties; school will face fines of up to €20 million or 4% of their turnover;
- it is the school’s responsibility to ensure that third parties (i.e. catering services, software providers etc.) which process data for you also comply with GDPR.
The GDPR is intended to strengthen and unify the safety and security of all data held by all types of organisations. The Information Commissioner’s Office has published a 12-step checklist (external link) to help prepare for the changes.