“Fergal Roche is the Chief Executive of The Key, a company that provides trusted leadership and management support to over 40% of the schools in England and Wales.
Through his work regularly visiting and engaging with some of The Key’s 100,000 members, he has great insight into the world of school leadership and the issues affecting school leaders and governors today.
He has been headteacher/principal of three schools and currently chairs the board of a multi-academy trust in Guildford.
He holds a BA (QTS) from Exeter University, an MA from the Open University and an MBA from Nottingham University.
Fergal is passionately committed to supporting schools in delivering better outcomes for children and young people. In 2007 he joined Ten Group to set up The Key and realise his vision of a service that would enable school leaders to run their schools with increased confidence, knowledge and capacity.”
It’s now only a few short months before the new General Data Protection Regulation (GDPR) will come into force. From 25 May 2018, the new regulations will affect the way schools process people’s personal data, with the aim of ensuring sensitive data is kept safe and secure. It’s similar to the Data Protection Act (DPA) 1998 in many ways – most of the differences involve the GDPR building on or strengthening these principles. If you’re compliant with the DPA now, you’ll be compliant with much of the GDPR already.
If you haven’t already started looking into what you need to do to prepare, there are lots of resources available online to help you quickly get up to speed. Cutting the requirements down into timely and achievable objectives is the simplest way to tackle it – our GDPR roadmap is an example of how you could break down the key milestones.
There are a number of things to think about, but broadly speaking, kick-starting the process with an audit to map out the personal data your school holds, where it came from, and what you do with it, is the first step. Collating this information aligned against the 6 lawful bases laid out in the new regulations will help you quickly see which areas you’re already compliant in, and where you need to focus your efforts. Doing this will also help you to establish a record of your data processing activities, which you can maintain going forward. It will also enable you to update your privacy notices, to ensure these are compliant. Make sure they are in clear, plain language – especially those that refer to children’s data, so that a child can understand them.
Perhaps the most important piece of the puzzle in these early stages is to appoint a Data Protection Officer (DPO), who must be in place by the time the regulation comes into force. Your DPO will be someone in your school, someone you share with other schools, or an external data protection adviser, who takes responsibility for monitoring data protection compliance and has the knowledge, support and authority to do so effectively.
Priorities for March
Having completed these steps, take the rest of March to ensure your data processing procedures are in line with the new requirements. Look at how you honour individuals’ rights and respond to subject access requests, and check you have a robust system for managing consent, where you need to get it.
Think about how you might respond in the case of a data breach, and put procedures in place to demonstrate how you would detect, report and investigate personal data breaches.
It may seem like a daunting process, especially with limited time! However, splitting the requirements out into manageable chunks and tackling one task at a time will ensure you’re able to get everything done in time, and have one less thing to worry about. For more information and support, The Key has tonnes of useful resources and templates available to help you along the way.