GDPR:A YEAR ON© SA Law 2019 | Every care is taken in the preparation of our materials. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

WE ARE SA LAW.We help people like you with all aspects of their business, professional & personal lives.

Be compliant Grow Stay competitive Do business with others Reduce risk & protect

your interests Translate issues so they

are ‘board level ready’ And much more…

WE ARE: WE CAN HELP YOU:

A full-service law firm based in London and St Albans

A team of expert solicitors who regularly write in industry press, national newspapers & online

WE HAVE:

Spoken to over 1000 people about GDPR

Achieved the Lexcelexcellence quality mark

Achieved the Top tier in The Legal 500 and Chambers and Partners Legal directories

Vast experience in the education sector

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

KEY DEFINITIONS

WHAT IS PERSONAL DATA? WHAT IS SPECIAL CATEGORY DATA?Any information relating to identifying an individual (data subject):

A photo Email address Bank details Posts on social networking websites Medical information Computer IP address

Any personal data consisting of information related to:

Race or ethnic origin Political opinions Religious beliefs Trade union membership Physical or mental health records Alleged criminal activity Genetic Biometric

Processing: Obtaining, recording, holding, organising, disclosing, minimising, deleting, maintaining, storing data

SPECIFIC CONSIDERATIONS FOR SCHOOLS

Student ID cards CRB records School registers & attendanceinformation

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

DATA: WHO’S WHO

DATA CONTROLLER (DC) DATA PROCESSOR (DP)

An individual or organisation which determines the purpose and use of how to process personal data. e.g. Employer/HR

A body or individual who processes the data on behalf of the data controller. e.g. Payroll provider/digitalagency/printing company/ outsourced provider

NOTE: Both controllers and processors may be liable to pay

compensation to individuals who have suffered damage as a

result of a breach of the GDPR.

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

GDPR: THE

SIGNIFICANT

CHANGES

DATA CONTROLLERSA controller determines the purposes & the manner in which any personal data are processed• Must provide privacy notices

- DPO - Legal basis for processing- Right to object - Retention periods- Right to complain - Right to make a DSAR

DATA PROCESSORSA processor processes the data on behalf of the data controller• Must maintain full documentation

of all processing and should nominate a DPO

DATA BREACHESMandatory requirement to report data breaches. Report within 72 hrs of becoming aware of breachor provide ‘reasoned justification’

CONSENTData controller has an obligation to demonstrate that consent has been unambiguous & freely given, right to object / withdraw consent at any time and consent will not be freely given if a contract is conditional on obtaining consent

HARSHER PENALTIESMaximum fine will be up to 20 million Euros or 4% of annual worldwide turnover

MANDATORY PRIVACY IMPACT ASSESSMENTS

New risk-based approach to assess degree of risk posed to data subjects in relation to processing activity. For example: signing-in registers, CCTV, thumb-print scanning etc.

NEW RIGHTSMost publicity = The right to be forgotten & erasureimplications for advertising and marketing materials

SUBJECT ACCESS REQUESTSMust reply within 1 month instead of 40 days and no scope for charging

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

AUDITING

DATA PROTECTION PRINCIPLES KEY AUDIT QUESTIONS

1. Lawfulness, fairness and transparency

2. Purpose limitation3. Data minimisation4. Accuracy5. Storage limitation6. Integrity and confidentiality7. Accountability

1. How did you gather the data?

2. How long have you held it for?

3. Is it necessary to obtain consent?

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

PROCESSING

PERSONAL DATA – ARTICLE 6 (1)

Necessary for: Performance of a contract Compliance with a legal obligation Protecting vital interests where consent can’t be given Public interest reasons Legitimate interests of data controller

The best justification for processing is always CONSENT. In the absence of consent, you may be able to rely on these exemptions:

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

PROCESSING

SENSITIVE PERSONAL DATA – ARTICLE 9 Obligations under employment, social security law etc. To protect vital interests where consent can’t be given. Processing by a not-for-profit body with political/philosophical/religious/trade union aim Data made public by data subject Reasons of substantial public interest, including:

Archiving purposes; Historical, scientific, research or statistical purposes, Preventive or occupational medicine, The assessment of the working capacity of an employee A medical diagnosis

The best justification for processing is always CONSENT. In the absence of consent, you may be able to rely on these exemptions:

N.B. SAFEGUARDING & DBS CHECKS

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

DATA SECURITY MEASURES

Risk-based approach. “Ensure a level of security appropriate to the risk”

Pseudonymisation

Encryption

Think of data security as an ongoing process

Ensure ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident

Regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the process

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

CONSENT

ICO GUIDELINES FOR CHILDREN

All information provided to children must be in clear plain language that they can easily understand

Need to obtain consent from parent or guardian to process child’s data

Required for children aged under 13, but best practice to obtain parental/guardian consent for ALL pupils

Protection particularly significant where children’s data used for marketing and creating online profiles, including photos

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

LEGITIMATE INTEREST ASSESSMENT (LIA)

In the absence of consent, legitimate interest is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.

Balance it against the individual’s interests, rights and freedoms1 2Identify a

legitimate interest

Show that the processing is necessary to achieve it; and 3

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

LEGITIMATE INTEREST ASSESSMENT (LIA)

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The processing must be necessary. If you can achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your

legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

You must include details of your legitimate interests in your privacy information.

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

ELECTRONIC

MARKETING

PECRPRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS

Soft opt inClear opt out

GDPRGENERAL DATA PROTECTION REGULATION

× No express consent LIA Include clear opt out

You must not send electronic mail marketing to individuals, unless:

They have specifically consented to electronic mail marketing from you; OR

They are an existing parent who has received communication from you in the past and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

WHAT IS A PERSONAL DATA BREACH?

Disclosing information to an unauthorised persons in a conversation

Losing equipment on which data is stored

Losing or leaving documents in a public space

Emailing the wrong person

Posting photographs on social media which have been taken inside the school with data in the background

Producing and sending bundles which have been contaminated with other documents

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted or stored or otherwise processed (GDPR Art4(12)

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

Key learning point: Thoroughly analyse all operations involving the processing of personal data to ensure compliance.

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

6 STEP DATA BREACH PROCEDURE

Thoroughly investigate and document findings

Breach or potential breach has occurred

Notify DPO at the point breach is suspected. Inform face 2 face or by

phone don’t rely on email

Trigger Data Breach Response Plan

Review policies & procedures

If a personal data breach - notify the ICO and potentially the Data Subjects

Consider school-wide training or training of

individuals

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

WHAT WE’VE LEARNT IN THE PAST YEAR

OBSERVATIONS HOW THIS AFFECTS YOU

Data breach complaints increased by 160% between May and July 2018 in comparison with the same period in 2017

Increasing number of customers querying whether or not organisations are GDPR-compliant

More comprehensive analysis of what constitutes personal data

ICO has finalised its detailed guidance on children and GDPR

Data protection fee now applies to many organisations in the UK

Importance of DPOs ICO attitude to breaches Rise in Data Subject Access Requests (DSARs) Pressure from third parties to sign up to new

data protection policies Children’s consent Threats to report to ICO ICO helpline

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

GOOD TO KNOWA CIM survey conducted six months post-GDPR of 1,500 respondents found:

Source: CIM, November 2018

of customers say that they are aware of GDPR, a significant increase from 41% in May

of customers would take action to stop companies using their data if they didn’t want them to

of customers don’t think GDPR has slowed the messaging they get communications from companies and organisations

of consumers think GDPR has improved how companies use their data

72%

50%

41%

42%

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

ACTION POINTS

Undertake regular data audits

Implement and review security measures – e.g. encryption, passwords

Update key policies and procedures

Data retention (consider culling data)

Make use of the ICO helpline

Ensure a data breach register is maintained

Provide appropriate training for staff (remember new joiners too)

Familiarise yourself with ICO guidance published since 25 May 2018

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

HINTS & TIPS

Keep your desk clear Keep files securely Use strong passwords and

change from time to time

Claim printing and

photocopying straight away

Password protect documents

containing sensitive data

Take care with emails. Check

what you’re sending and who toSave documents in a

secure area

Don’t open suspicious emails Dispose of paper sensibly.

Recycle or shred?

If you are unsure, don’t be afraid

to check someone’s identity

Suspect a data breach?

Report it straight away

Follow your school’s policies

and procedures

Make sure personal data is

accurate and up to dateTreat parent’s/pupil’s data as

you would like your own data to be treated

Don’t remove files from the office

unless absolutely necessary

St Albans 01727 798000

London 020 7183 5683

www.salaw.com | @SA_Law

ANY THOUGHTS OR QUESTIONS?

CHRIS COOK | PartnerHead of Employment & Data ProtectionChris.Cook@salaw.com 01727 798017

EMMA GROSS | SolicitorEmployment & Data Protection TeamEmma.Gross@salaw.com01727 798049

© SA Law 2019Every care is taken in the preparation of our materials. However, no responsibility can be accepted to any person who acts onthe basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.