GDPR for school leaders
Craig Stilwell (LLB Hons, L.P.C)
GDPR for school leaders
Programme
09:30Introduction
10:15GDPR: The Changes (part 1)
10:40Refreshments
10:55Exercise 1: GDPR True or False
11:15Individual Rights Under the GDPR
11:45GDPR: The Changes (part 2)
12:15Exercise 2: SARs and DPOs
12:30Lunch
13:30GDPR: The Changes (part 3)
13:50Exercise 3: Breach Notification
14:10Steps To Take Now
14:40Refreshments
14:55Reflection Exercise
15:15Conclusions, Reflection and Q&A
GDPR for school leaders
Course Aims and Objectives
•To understand the current data protection structure and its principles;
•To learn about the GDPR regulations and what this means in practice to your school;
•To gain awareness of the changes brought about by GDPR and how this will change the current data protection structure;
•To establish why we need to comply with the GDPR and the requirements for compliance;
•To deepen your understanding of the DPO;
•To identify sources of support and guidance and how to use them to achieve compliance; and
•To consider and plan for the GDPR.
NAHT contacts for support
Main Contacts
Telephone number: 01444 472472
Website:
Direct dial for Professional Development team: 01444 472405or email:
Website:
Exercise 1GDPR: True or False
1)The GDPR only applies to companies located in Europe.
2)There is no longer a requirement to register with the ICO as a result of the GDPR.
3)The changes in relying on consent means employers cannot rely on consent from employees to process data.
4)As data processors are now covered by the GDPR, there is no longer any need to enter into data processing agreements with them.
5)All organisations must appoint a data protection officer.
Exercise 2Subject Access Requests and Data Protection Officers
1)Can we refuse a subject access request because: -
(a)The request has not been made by the individual personally.
(b)The request is too onerous to deal with.
(c)We don’t know the reasons why they want the information.
2)Which of the following positions can be a data protection officer?
(a)Head Teacher.
(b)Business Manager.
(c)A senior consultant from an external company.
Exercise 3Breach Notification
1)True or false, you have to notify the ICO of all data breaches?
2)You have just received a report from your admin team that a member of staff accidentally sent a document to your local College. This document was a staff phone list containing their staff contact numbers. Does this need to be notified to the ICO?
3)Your external IT company have noticed a breach on the School’s network. The breach was resolved but wasn’t reported to the School until a month later during an on-site visit where they mentioned the breach to the School’s IT Technician. The technician felt that the breach did not need to be escalated as the IT firm had resolved it. Are you happy correct procedure was followed by the company and/or technician? What steps could/should be taken by the School now/in future?
Reflection Exercise
- Consider the changes being brought about by the GDPR and how this affects your School.
- Use your school improvement plan to think about what is needed to be done to be compliant with the GDPR.
- Think about responsibilities pre and post 25th May and prioritising those responsibilities.
Action / Priority / Deadline
Action / Priority / Deadline
Page 1 of 8