Skip to content

GDPR preparations: Using the Department for Education data protection compliance toolkit

With just one month to go until GDPR comes into practice, the Department for Education has launched a data protection compliance toolkit for consultation. To support you in getting to grips with this, Ward Hadaway has prepared a series of short briefings for schools.

To launch the series, we will first take a look at the DfE initiative and what it means in terms of your preparations.

For some time there have been increasing concerns within the education sector on not being ready for all that GDPR entails. Another common thread is with regards to a ‘lack of guidance’ as to how to secure compliance efficiently and effectively.

So with that in mind, we will look at the big issues that we know schools need to be clear about.

There are big decisions being taken right now including the appointment of data protection officers, securing buy-in at Governing Body or board level, as well as facing the challenge of suppliers sending new contracts and updated privacy notices.

As part of our obligations to observe European Union legislation, the Government is required to support timely implementation.

But look behind the scenes and you see the enormity of the challenge that the EU has faced to get us to this point. There is a strong case for saying that the deadline has arrived too early. Consistency in the way the laws are implemented across Member States is absolutely vital and that takes up a lot of time.

Our Information Commissioner collaborates with her opposite number in all other EU member states through a body known as the Article 29 Committee. That committee deliberates and produces guidance that sets a standard for all member states to meet in their domestic implementation. There is for example a detailed guidance document on the role to be played by data protection officers. Other guidance covers consents, processes for enforcement and the setting of fines.

At UK level, any guidance the Information Commissioner’s Office (ICO) may wish to produce can only follow that centrally promulgated guidance – and has to be consulted upon. All of this takes time.

It’s also the case that, whilst ICO has a strong track record in supporting the schools sector and has in the past few months provided some draft guidance on the vital subject of how to manage compliance when children’s data is involved, a final version has still to appear.

Finally, it would seem that the DfE has signalled that it recognises that developing GDPR compliance will be a continuing exercise after 25th May. Its consultation on the toolkit does not end until 1 June.

So having read this what should I do next?

Read the toolkit document – particularly if you still feel that you need to get up to speed over the actions that your school should be taking. You can find the document here.

Make sure that serious work is being undertaken (great if this has already been done!) to audit, document and understand what happens to the personal data records that you hold.

Take a look at the DfE published model privacy statements – available here and updated to recognise the implementation of GDPR. They will be found to be very basic, don’t take account of the forthcoming ICO Children’s personal data guidance and will need customisation.

Watch out for our further briefings over the next two weeks or so and share them with your colleagues. We will look to fill in some of the gaps and draw attention to areas where the toolkit requires further development and amplification. The briefings will cover:

  • How the DfE Privacy Policy documents should be taken forward to a compliant state;
  • What you should be saying to your Governing Body/Board of Trustees at your next Board meeting about GDPR compliance;
  • What you should say to staff – can they still take personal records home to work on?
  • How to give your data protection officer the best possible start in the role securing trust and confidence across your organisation;
  • How you should respond to suppliers given the terms in which the subject is covered in the toolkit.

In the mean time, press on with preparation! If you have urgent questions at this stage please contact Frank Suttie.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there