The recent announcement of the proposed fine of British airways has once again re-ignited the GDPR related discussion. The fact that it was followed promptly by a further fine for the Marriot hotel chain just added fuel to the fire. I have once again seen a number of emails and posts on social media regarding GDPR support and consultation services and also GDPR “solutions”. This continues to worry me as the security and protection of organisational data is an ongoing process and not simply a task to be done and then revisited yearly or a product/service to be purchased. It also worries me that some schools or even other organisations may sign up to services seeking an answer however will find that their purchase adds little value but at significant cost.
In relation to the lack of clarity and need for advice around GDPR a couple of school based queries I have recently observed stick in my mind. One related to a teddy bear and diary which was passed around in class with young children taking it home and adding a note or drawing to the diary as to their time with the bear. The children were all around the 4-6 year old range. The bear would then be passed on, along with the diary, to the next child and so on as it circulated the class. The concern here was that each students drawings, comments or even photos were being passed on so did this mean that GDPR prevented the activity or required parental consent from each parent or similar.
Another query related to a class year book within a Year 4 class which would be produced from input from students and from photos gathered throughout the year. The yearbook would then be shared with all students. The concern here related to the use of names and photos in the yearbook and whether GDPR requirements prevented the activity or put specific requirements around the data which was allowed and/or permissions and consents which were needed.
In both cases I think the concerns around GDPR in relation to the planned activities are disproportionate. That said I think having the concerns and raising them and then recording decisions is excellent as it evidences that GDPR is taken seriously by the school and considered where there may be personal data involved. It is also important to note that I do not profess to be a GDPR expert and certainly couldn’t attest to how things might go in court of law. I however doubt that lots of the so called “experts” to be found sharing their services could reliably predict the outcomes should such issues progress to their eventual final resolution in the courtroom.
In the case of the teddy bear, in my view, it would be anticipated that the parents already know the parents of other children in the class and their children. It is also reasonable to expect that it is unlikely that much of what is written or drawn by a 6 year old will constitute personal data. In addition parents will have control over any photos which they may work with their child to add to the diary. As such, having at least thought about GDPR, it is reasonable to assume little personal data if any is involved plus, where it is, parents will be providing content through choice and will be aware of how the diary will be shared, etc. To be totally clear and transparent it may however be worth outline in a letter to parents the activity and how the diary will be shared, plus how parents can choose to contribute or not.
Where the year book is concerned there is likely to be a bit more personal data in that it will most likely contain the names of children. Again, like the teddy bear, you would expect students to know the other students in the class and therefore you would also anticipate parents of a pupil to know students and names through their own child. As an element of caution you might decide to only list forenames rather than full names thereby minimising the data being shared. As a year book it is clear the purpose of data gathering and how it will be shared. Once again a letter outlining the activity could be shared with parents allowing them to exempt their child from inclusion however other than this I believe the act of at least considering potential GDPR implications would suffice.
For me one of the key aspects of GDPR which isn’t discussed as often as it should be is the actual act of stopping and considering data protection. To actually stop and consider what data is being processed, what the risk level is in relation to if this data is leaked or otherwise breached, how permission or another lawful basis for processing was arrived at, etc, is a key part of GDPR. This is the part in relation to demonstrating compliance in that GDPR has been thought about and decisions taken. From here, in my view, it is a risk based decision.
In both the two examples I cited, the teddy bear and the year book, the anticipated risk is low so the act of giving it thought and taking a decision should suffice. There is no need in these cases to get hugely concerned and spend massive amounts of time and effort. This would be disproportionate to the risk level. I would suggest that simple common sense in these cases should suffice.
Where however the data involved is more extensive, where the data is shared with third parties and where the risk of harm or distress is greater a more extensive level of consideration is required.
So, in conclusion, don’t panic! In most cases, where risk is low, make sure you have stopped and considered GDPR and data protection, and make sure that such consideration is documented even if only in an email or in minutes of meetings. If however the risk of harm or distress is high then make sure more comprehensive consideration has been given.