What is GDPR and how does it differ from the DPA?

The Data Protection Act was introduced back in 1998, which, to give you some context, was the same year Google was launched. A lot has changed since then, particularly in schools: the quantity of data schools collect and the complexity of locations where it is stored have changed dramatically.

Although much of the legislation from the Data Protection Actremains, GDPR looks to reinforce certain elements.

Before we go on, it is worth clearly defining what ‘processing’ data means in the context of GDPR.

It basically refers to any operation or set of operations performed on personal data, whether that operation is automated or not. That includes collecting it, organising it, structuring it, storing it, retrieving it and a whole lot else (you can find the official definition here). Schools, you will notice, do all of these things with personal data regularly.

Key changes from the DPA include:

  • Evidencing compliance: the most significant change from the previous regulations, and the one that schools will need to focus the most resource on, is evidencing compliance. The new GDPR requires that schools don’t just comply with the regulations,  they need to be able to show that all processes around data have been considered and recorded. That means keeping a record of what you are doing and when.
  • Individual rights: previously, individuals were able to ask to see all data an organisation held about them, and ask for any inaccuracies to be corrected. This process incurred a fee. Now it’s free and individuals can also request to have their data removed, to withdraw their consent, or to have their data given to them in a portable manner.
  • Categories of data: the new regulations have altered the ways in which organisations need to categorise personal and sensitive personal data. Changes include the addition of biometrics and genetics into ‘special category data’.
  • Potential fines: under the new regulations, all companies and organisations that handle personal data will be liable for fines of 4 per cent of their annual revenue or €20m (around £17.7m), whichever is larger.
  • Enforced in the UK by the Information Commissioner’s Office (ICO), the new European guidelines will continue to be used by the UK on departure from the EU, so holding out for Brexit in the hope this will all go away is not a viable option.