GDPR is the new EU legislation and stands for General Data Protection Regulation. It came into force on 25th May 2018 and replaces all data protection legislation in EU member states (including the UK’s Data Protection Act 1998 (DPA)). The GDPR will not be affected by the UK’s decision to leave the EU.
GDPR applies to all organisations processing personal data, including schools and academies. The legislation will determine how data is processed and kept safe, and the legal rights individuals have in relation to their own data.
The GDPR sets out the key principles that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with this purpose;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate, and where necessary, kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures.
The GDPR also provides the following rights for individuals:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
The GDPR requires all compliant organisations to appoint a Data Protection Officer (DPO). The DPO is responsible for overseeing data protection within the school. Our DPO's name is Steve Jones, Email: firstname.lastname@example.org
For further information about GDPR please visit the ICO website.