Data Protection at Work (GDPR)

Data Protection at Work (GDPR)

The impact of the end of the BREXIT transition period on Data Protection

The EU GDPR is an EU Regulation and now the BREXIT transition period has ended  it no longer applies to the UK. However, schools need to comply with UK data protection law. The provisions of the GDPR were incorporated into UK data protection law as the UK GDPR at the end of the transition period. The UK GDPR sits alongside the DPA 2018 and in practice there is little difference between the core data protection principles, rights and obligations found in the EU GDPR and the UK GDPR.

You can find detailed information and a useful FAQ document on this topic produced by the Information Commissioner’s Office. You can also find out more about  the wider data protection and HR implications of the end of the  BREXIT  transition period in our BREXIT briefing note.

 

If you would like to find out more about the GDPR requirements please visit the ICO website where you will find the information governance and legislation training workshops. You can select the webinars that fit the needs of your school and add them to your existing training materials.

 

DFE has published updated privacy notice guidance. This document explains the importance of using a privacy notice to educational establishments and local authorities. It contains information to explain what a privacy notice is, when it should be issued and what information we would expect it to contain. We will update our templates in due course. 

 

 

 

What do schools need to know about data protection?

What is the GDPR?

In January 2012, the European Commission announced its intention to reform data protection rules. The Commission proposed that the existing Directive would be replaced by a Regulation, binding on every member state. Since the implementation date of 25th May 2018 fell prior to the date the UK exited the EU all UK organisations and all foreign companies processing the data of EU residents had to be compliant with the General Data Protection Regulation (GDPR) from this date.

The UK government published the Data Protection Bill in September 2017 and this received Royal Assent as the Data Protection Act 2018. The Act should be read in conjunction with the GDPR and contains additional provisions relating to, amongst other things, special categories of data, criminal convictions and offences and subject access requests.

The provisions of the GDPR were incorporated into UK data protection law as the UK GDPR at the end of the BREXIT transition period. The UK GDPR sits alongside the DPA 2018, in practice there is little difference between the core data protection principles, rights and obligations found in the EU GDPR and the UK GDPR.

What about HR data?

Data protection law, including the GDPR, covers the processing of 'personal data' which means any information relating to an identifiable person. Schools and other education establishments will be processing personal data relating to staff, but also to others, such as pupils/students. The information available here is focussed predominantly on the HR and employment implications of GDPR and ensuring compliance in this particular area.

What should I be doing to ensure that our HR data processing is compliant with the GDPR?

GDPR implementation did not end on 25th May 2018 as compliance is not a one-off exercise. Many of the changes brought in by the GDPR are about ensuring organisations incorporate data protection principles into day-to-day processes and practices so that considering the implications for personal data becomes the norm.

 

In our guidance and information section you can find an overview guidance document on GDPR as a whole, as well as more specific guidance on conducting an HR data audit, the role of the data protection officer, data retention periods for HR data, breach reporting and on handling subject access requests.

In our templates and tools you can find a template for conducting an HR data audit, workforce and job applicant privacy notices, a template HR data retention schedule, an example data protection policy and an example job description and person specification for a data protection officer. There are also links to updated HR policy templates and a range of resources for responding to subject access requests.


Sub topics

Start using the Strictly HR Resources Hub for FREE

Access all the features for 7 days, then decide if you want to sign up for 12 months

Register for FREE to gain access to:

  Sample articles & resources

  Selected online briefing content

  Priority offers