A brief summary of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
About Data Protection
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018, replace the Data Protection Act 1998. The core principles of the new Acts remain largely the same as the previous Act with a few key updates designed to reflect the changes in how we use personal data since the original DPA was written.
With these updates to the law come new requirements for data controllers and processors in terms of protecting people’s personal data and respecting their rights. The various updates and changes brought by GDPR can be categorised into three main step changes;
1. Transparency - means telling people more about what we are doing with their personal data. This will largely happen in your updated Privacy Notice, which is the most outwardly visible sign of your compliance with the GDPR.
2. Control - means giving people more control over what we do with their data. The GDPR gives people new rights, such as the right to erasure and the right to rectification. This should not impact too much on schools as they are not absolute rights. If you have a compelling reason to keep the records (such as a legal obligation) you are not required to erase all records relating to an individual.
3. Accountability - while we have always been required to comply with the principles set out in the Data Protection Act, we must now comply and also be able to demonstrate how we comply with the principles set out In the GDPR. This means we must have a heightened awareness of the data processing activities we are involved in, know clearly what the legal basis for it is, and keep detailed records of it all to prove it.