June 27th, 2022
Privacy and data protection have always been important for the individual. It's a matter of respect and trust that companies handle your data correctly.
Ever since the GDPR (General Data Protection Regulation) was introduced in 2018, small business owners have not known what to do with it or how it could affect their companies.
Let’s say that you own a music school or a school where the kids study foreign languages. You may be looking for answers to the following questions:
💭 Do I have to make adjustments to my record-keeping?
💭 What exactly is “sensitive” information?
💭 Am I still able to store that data on a simple, portable device?
💭 Do I need special school management software to help manage my data processing practices?
Luckily, you’ve come to the right place.
Whether you’re an established school owner or you’re planning to open a small teaching business, we’ve outlined everything you need to know about GDPR below.
The General Data Protection Regulation (GDPR) is a set of data protection laws offering greater security around the collection, storage, and usage of personal information from individuals.
To help keep up with the developments in modern technology, the GDPR replaced the Data Protection Act (DPA) of 1998.
It affects every company in the entire world that deals with personal data gathered from people that are part of the European Union (EU).
The GDPR was also designed to place a greater emphasis on consent to give more power to the individual. This is to ensure that businesses get people to agree to:
📱 Why their data is gathered.
📱 What the data gets used for.
📱 How personal data is stored.
📱 How long data is stored for.
The DPA was introduced at a time when the average person’s digital footprint was almost nonexistent.
As a result, the amount of information was smaller and the complexity of how it got stored by data processors was simpler.
Some of the fundamental changes within the GDPR include:
📱 Businesses need to provide evidence on how they collect data.
📱 Individuals have the right to obtain their data for free, whenever they want.
📱 Fines may be issued if data protection regulations are not adhered to.
Not only does GDPR compliance increase the accountability schools have when processing data, but it also gives parents more power over what is done with their child’s information.
For schools, this is particularly important because children’s personal data requires greater protection and they’re often required to keep student data for years after they leave the school.
Although the GDPR forces schools to rethink how they collect and process data, the good news is that over time this will ultimately reduce the amount of data that needs to be stored.
All of these regulations may seem scary at first. But, once you’ve learned more about GDPR’s key areas, you’ll have a better idea of how to apply them to your teaching business.
Let’s take a closer look at some of the most important regulations below.
This applies to absolutely every person that you might be collecting personal data from in a school environment.
Specifically, personal data includes any information that could help identify a person or their family, such as:
👀 Their name.
👀 Postal address.
👀 Relevant contact details.
When it comes to students, personal data refers to:
👀 Their legal guardian or parent’s contact details.
👀 Any disciplinary records.
👀 Marks and progress reports.
The data we’ve outlined above is still regarded as personal even if the individual chooses to publicize it.
The data your school collects may also belong to your fellow teachers, secretaries, accountants, and even the company that delivers your stationery.
Your school may only collect personal data if it's legally required to do so, especially if it involves a third-party data processor.
For example, you might need it for signing a contract with a new teacher, or for recruiting new students for your classes.
Similarly, the students (or parents) may have asked you to provide some data on your teaching classes.
Regardless of the cases, you must tell them precisely why you need to collect their data—and you should only use it for the purpose that you have mentioned.
Before you implement any new software into your school, you must remember that the terms and conditions are there for a reason: to be read and agreed upon before signing.
If your school starts working with a third-party supplier, you need to carefully go through its user contracts and ensure that they are GDPR compliant.
You also need to make sure that the third-party supplier:
🔍 Explains what data is being collected and processed.
🔍 Who has access to your school’s data.
🔍 How they plan to keep your student’s data protected.
Whenever you add something to your school’s data management system, you should know that every individual has the right to enquire about everything.
At the very least, individuals have the right to know what you collect about them. This right isn’t particularly new.
If you ask a third-party supplier what they’re using your school’s data for, they have to provide the answer within a month.
They also can’t charge any fees for those subject access requests.
Students also have the right to see their personal information, should they ask for it.
However, parents don’t have the right to access their child’s personal data unless they are under 13 years old and have provided consent.
Just like every parent, student, teacher, or business partner has the right to know what their data is being used for by your school, they also have the right to delete it.
The only time when their request can be denied is when your school or a third-party company needs that data for legal reasons.
For example, schools are legally required to keep student records for a certain amount of time and for tax purposes.
Every individual has the right to ask for a copy of their personal data, irrespective of why they want it.
A typical example would be using that data to transition to a different service provider, this includes instances when:
🔀 Your students want to transfer to a different school.
🔀 Your professors or teachers are looking to change jobs.
If there is any breach of the personal data your school has collected, it will need to be reported within 72 hours to the Information Commissioner’s Office (ICO).
This will be to assess whether the data breach poses a risk to the rights of the affected parents, students, or staff.
This usually refers to the possibility of an individual suffering bullying, reputational damage, or financial losses as a result of the data breach.
You will also be expected to provide a detailed account of the breach to ICO, including:
📝 The extent of the damage.
📝 When and how you learned of the breach.
📝 Whose data has potentially been affected.
📝 How the incident is being handled.
📝 Who they should contact if they need any more information.
There are a number of steps that your school can easily take toward better GDPR compliance. Let’s examine some of these below.
Since schools are defined as public authorities within GDPR legislation, they are required by law to employ or assign a Data Protection Officer (DPO).
A DPO will monitor your school’s GDPR compliance, as well as inform and advise you about your data protection obligations.
DPOs can also help schools make sense of EdTech privacy policies and show you exactly how your data is processed and used.
Having a good relationship with your school’s DPO ensures that you have someone to turn to for advice should a data breach occur.
You can’t expect that your teachers or staff know how to keep your school’s data protected if you never show them why it’s important to do so.
A great way to do this is to make all of your school’s staff aware of GDPR through an awareness campaign. You can teach them:
💬 How student and school data is collected.
💬 What the different categories of data are.
💬 What schools use data for.
💬 Why data needs to be stored properly.
💬 What to do in the event of personal data breaches.
You could also ask your school’s DPO to host a workshop at your school to inform staff about the issues we’ve mentioned above.
This will also give your staff the opportunity to ask the DPO any questions they may have about data protection.
It’s also important for schools to identify and audit all of the software that they use.
With the rise of helpful apps in the education sector, many teachers may make use of apps without considering whether they are GDPR compliant.
An audit of all software—including school apps—will help you ensure that everything your teachers and staff are using is GDPR compliant.
It will also give you better transparency over whether the software is processing personal data and whether it’s safe to use in your school before there’s a costly breach.
If your school is found not complying with GDPR regulations, this could result in:
🆘 Potential hefty fines of up to 4% of your school’s annual revenue.
🆘 Warnings or reprimands by your school’s DPO.
🆘 Temporary or permanent bans on data processing.
🆘 Restriction or forced removal of the data from your school.
As we’ve seen in this article, personal data is important, and you must keep it private unless you are required by law to access it.
As a person in charge of a small teaching business, you should not only protect the privacy of your students, but also the privacy of your teachers.
One of the best ways to ensure your school’s data remains protected is using a trusted school management system like Teach ‘n Go.
With our student management software, you can be sure that our cloud servers will store your school’s data safely and securely.
We also use extended SSL encryption and are fully GDPR compliant, giving you peace of mind that your school’s data is in the right hands.
To find out more, get in touch with us today for a 7-day free trial or book a demo.
You’ll have access to all of Teach ‘n Go’s premium features and be able to cancel at any time—no credit card required.