When it comes to GDPR, Donald Rumsfeld’s famous quote seems very appropriate:
“There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”
This can make getting ready for GDPR difficult. Based on many conversations with many schools, we want to set out some of the emerging trends.
When it comes to the “known knowns” we are clear on some basic points. It is coming into force on 25th May 2018, some of the requirements are similar to current data protection law, it is necessary to give people information about how their data is processed, stored and used, people will have rights around access to that data, ensuring it is accurate and so on. It will be necessary to record and (subject to conditions) report breaches to the ICO. It will also be necessary for some organisations, including schools, to appoint a Data Processing Officer (DPO).
However there are some emerging themes when it comes to “known unknowns”. Two key points which come up several times relate to the DPO and retaining data.
For the DPO, it is clear that the DPO must have expertise to fulfil their role and act independently. What exactly that means in practice for schools, is still not clear. There are suggestions that it definitely could not be a headteacher or other senior leader. However, it is our view, that at this stage, while it is important to consider potential conflicts and independence, we would caution against adopting a fixed position at this time. A DPO will be necessary and it will be permissible to buy in a DPO and share a DPO across more than one school. At this stage, we know it will be necessary but we don’t have enough information to reach fixed conclusions when it comes to schools.
Another key area is data retention. Ask any school how long data should be kept for and there are numerous different answers from different schools in different local authority areas. The ICO is also not giving a fixed answer. The point is there is no clear answer at this time. However, what is clear is that if data is being kept there needs to be a reason for it. While more guidance is needed, our view is to focus on having a complete understanding of what data you have and having a clear rationale for why you are storing it for a particular length of time.