1. GDPR Workshop – Partnerships for Jewish Schools
7 March 2018
Sarah Rowley, Senior Associate

3. Sector data scandals and the fallout
1) Olive Cook and the aftermath too many mailings. new regime as a result. 2) ICO fines 13 charities trading data and wealth screening 3) Selling Barbara documentary charities accused on BBC over data swapping. 4) Age UK data breaches

4. What we’ll cover Intro and background The main changes under GDPR
Processing by education organisations
Lawful grounds for processing
Direct marketing, fundraising and consent
Agreements and data sharing with third parties
Policies, notices and notifications

5. Intro and background Applicable laws: Regulatory guidance:
General Data Protection Regulation – 25 May 2018
E-Privacy Regulation (repealing the E-Privacy Directive) – planned date for implementation – 25 May 2018?
Data Protection Bill (Data Protection Act 2017/18) – 25 May 2018
Regulatory guidance:
Information Commissioner’s Office - organisations/data-protection-reform/
Article 29 Working Party - detail.cfm?item_id=50083

6. Intro and background Key concepts: 6 data protection principles:
‘lawfulness, fairness and transparency’
‘purpose limitation’
‘data minimisation’
‘accuracy’
‘storage limitation’
‘integrity and confidentiality’
GDPR, Art 5.1
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
GDPR, Art 5.2
Organisations must act as either data controllers or data processors

7. The main changes under GDPR
Extra territorial applicability
Breach notification
Data protection officer
Data transfers
Agreements with data processors
Sanctions for non compliance

8. Processing by education organisations
Various categories of data – although mostly relating to students and staff
Parental consent
Managing sensitive data “special categories of data” e.g. health records, classification of ethnicity or religious indicators
Direct marketing to prospective parents

9. Issues for schools Notification Personal data Fair processing
Information security
Disposal
Policies
Subject access requests
Sharing personal information
Websites
Photographs
Processing by others
Training

10. What are the lawful grounds for processing:
Art. 6(1) GDPR Lawfulness of processing
“Processing shall be lawful only if and to the extent that at least one of the following applies:”
Comment a)
the data subject has given consent to the processing of his or her personal data for one or more specific purposes
Only ground available for electronic direct marketing b)
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract c)
processing is necessary for compliance with a legal obligation to which the controller is subject d)
processing is necessary in order to protect the vital interests of the data subject or of another natural person e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden…
Conduct a balancing test
May be used for non electronic direct marketing
Top tip: Document your balancing test for legit interests

11. Direct marketing, fundraising and consent

12. Direct marketing, fundraising and consent
New donors:
If your consent mechanism is not GDPR compliant, change it to something like:
No longer permitted:
Top tip: Use a separate tick boxes for marketing (but leave off post)

13. Data mapping, lawful grounds and records
Understanding what you do:
Who?
What?
Why?
Where?
How long?

14. Agreements and data sharing with third parties
Understand who you are sharing your data with, controller or processor?
Who determines the purpose for which the data is processed and the means by which it is processed
A good litmus test is whether there is any data for which you could expect, at the end of the agreement, to tell them to stop using/hand back
If you are sharing with a data controller:
(for example, other educational establishments or other organisations providing services directly to your students or staff):
You do not abdicate responsibility for an end user’s personal data simply by sharing it with a third party data controller
Put some controls in place: “where we share data with you, you shall not do or omit to do anything which would cause us to breach applicable data protection law” etc
Top tip: Create a list of controllers and processors

15. Agreements and data sharing with third parties
If you are sharing data with a data processor:
(For example: external pay-roll providers, IT service providers, others providing back-office admin functions for you…)
Binding written contract
Under the DPA 1998:
shall only act on instructions
must ensure the security of the data
Under the GDPR
much more…
Top tip: Write to your processors. Ask them how they’re complying?

16. Policies, notices and notifications
What policies do you have in place?
Data protection policy
Information security (and data breach notification) policy
Data retention policy
Always good to have an instruction manual
Demonstrates compliance with the accountability principle

17. Policies, notices and notifications
Privacy notices / ‘fair processing info’
Tell people what you do with their data. Do you pass the ‘red-face test’?
New – notices should be GDPR compliant
Wide enough to cover all intended processing?
Top tip: At the very least, pass the red-face test!

18. Policies, notices and notifications
The obligation to register as a data controller (and pay a fee) will remain in place (although no longer need to provide detailed particulars)
Don’t let your registrations lapse
Not needed if you sit within an exemption (NB. the one below is v. narrow – schools should not rely on it!)
Top tip: Keep up with your renewals – they will still last 12 months

19. Conclusion and questions
Sarah Rowley, Senior Associate +44 (0)