All the excitement (if that’s the right word) about GDPR seems to have moved on now so we thought we it was time to conclude our blog and reflect a little on what we have put in place, what we might do differently and what we still want/need to do (as GDPR certainly hasn’t gone away!).
Well, the world hasn’t collapsed following the introduction of GDPR and I’m not aware of any school prosecutions yet, in spite of all the warnings and horror stories from companies trying to get our business. Overall, from our perspective, apart from taking up some time it feels as though the process that we went through has been a good thing: we have tightened up our practice; put training in place for everyone so there are clearer expectations of staff; given more thought to what and where our sensitive data goes to, how it is processed and who it is shared with.
On reflection we’re not sure what we would do differently and this isn’t because we think we’re perfect, but we have stumbled our way through the issues and nobody has said we’re doing anything wrong and there aren’t any prosecutions pending! I know I’m pleased that we didn’t shell out lots of money to a third party to ‘do’ GDPR for us, although I know some headteachers have told us they felt it was money well spent. Having our school business manager as the DPO seems to work as there is appropriate separation given the role of our governors with oversight.
So, we seem to have things in place now: policy, privacy notice, training, roles. But we still think there is more we can do: constant vigilance and monitoring of practice is one as well as building training into our induction programme and regular annual updates. We are also continuing to pursue the idea of a significant overhaul of our website to allow greater interactivity for parents with personalised accounts so they can update their personal details as well as access assessment and attendance information.
Anyway, this is us signing off! We hope you have found our ‘warts and all’ blog helpful.