The GDPR is a legislation passed within the European Union (EU), which focuses on protecting the personal data of EU citizens. The legislation is unique as it sets forth regulations for any business that controls or processes EU citizen data, regardless of the company’s location. 

Does GDPR affect your school? 

If you have an inquiry, an applicant, a parent or any other user is phisically located in European Union at the moment when they submit their data to your school, then GDPR applies to your organization. 

When does the GDPR go into effect?

May 25, 2018

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data (School), while the processor is an entity which processes personal data on behalf of the controller (PCR Educator).

Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?

The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.  Explicit consent is required only for processing sensitive personal data. However, for non-sensitive data, “unambiguous” consent will suffice. When the processing has multiple purposes, the processor or controller must obtain consent for each purpose. Please refer to https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf for more information.

Lawful basis for processing personal data.

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. If the data processing is necessary for compliance with a legal obligation to which the controller is subject (school) or processing is necessary for the performance of a contract to which the data subject is party (i.e a student enrolls in the school, parents sign the enrollment agreement and the school needs to proces the student’s data to perform its business), then controller (school) does not need a consent.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

How does the GDPR affect policy surrounding data breaches?

To comply with GDPR and to facilitate compliance with GRPR for our client schools, PCR Educator,  as soon as reasonably practicable upon becoming aware, will notify its customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized  disclosure  of,  or  access  to,  personal  data  transmitted,  stored  or otherwise  processed  by  PCR Educator,  its  sub-processors,  or  any  other  identified  or unidentified third party. Consequently, upon receiving a notification from PCR Educator about a data breach,  your school must notify the data privacy supervisory authority in the EU member states of which the affected individuals are residents within 72 hours, unless you can demonstrate that the data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” PCR Educator is revising its agreements with ourc clients to ensure that this provision is clearely communicated in the contract.

What changes should a school make with regards to GDPR and its use of PCR Educator?

The schools should identify the areas where they collect any data from any individuals where the collection of the data is not justified under the following clause:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”  Then, update these data entry forms to include consents that would serve as a basis for lawful data processing.

If you are interested to learn more, the full legislation and additional regulation details can be found at http://www.eugdpr.org/.


See also
DAT   
PCR Educator K-12 School Information System is an online database engineered for independent and private schools to deliver the highest level of flexibility, unique experience, transparent communication and customized design. Being a complete cloud-based solution, PCR Educator system guarantees convenient access anytime, anywhere.