UK GDPR proposed changes – what is a PMP?
By now, your school will be familiar with best practice regarding data protection regulations. In summary, schools should:
- Understand the personal data held, whether it’s legal to be using it and what is needed to protect it
- Understand what protecting personal data means – objectively evaluate the resources (people, money, time) needed to protect the personal data from known risks and others you identify
- Do something about the risks – train people, put policies, processes and procedures in place
- Report on mitigating actions – share the measures you are putting in place to protect data so school leadership can understand where the risks are
- Have an improvement plan – show that you know what more you can do when you have more resources
- Be able to demonstrate what you are doing to protect data and take accountability
However, there will be a reform in data protection law in spring 2023. The reform will bring with it a new obligation – to follow a privacy management programme (PMP).
What is a PMP?
A privacy management programme (PMP) is a set of structured category-related tasks that enable a school to demonstrate the principle of accountability. Common categories to do this include:
- Leadership and governance
- Records of processing
- Incident and breach management
- Information rights and data ethics
- Training and awareness
- Data sharing and contract management
- Information security
- Risk management and controls
- Policies and notices
The government proposes schools adhere to the following measures under a PMP:
- Appoint a suitable senior individual to be responsible for the programme, very similar to a designated safeguarding lead (DSL). A data protection officer (DPO) will no longer be mandated
- Implement risk assessment tools which help assess, identify and mitigate risks. These require a comprehensive assessment of data protection risks, however, they are not as extensive as those required under the EU-GDPR
- Take a more flexible approach to manage compliance
The designated senior individual responsible for a PMP programme will:
- Represent or delegate a representative to the Information Commissioner’s Office (ICO) and data subjects
- Ensure appropriate oversight and support is in place for the PMP
- Provide tailored training to ensure staff understand their school’s policies
- Regularly audit the efficacy of the programme
What do schools need to consider?
Schools with an in-house DPO will need to think which senior individual will take on this role and what will happen to the DPO if they move into the role.
Schools with no in-house or outsourced DPO, or data protection expertise need to understand the scope, depth and breadth and what they really should have been doing.
What problems does the senior leader responsible for a PMP need to address?
- Understanding the depth and breadth of a PMP. Specifically, the time and resource required
- Being able to identify, assess and manage privacy risks, ranging from policy/procedure through to contractual, international data transfer and cyber risk management
- When complying with Keeping children safe in education (KCSIE) schools need to have in place policies and procedures for vetting the use of technology to ensure the school can ‘identify, intervene and escalate any concerns in pupil, students and staff use of technology’. They also need to look at policies and processes for an annual review of technology and the risks of harm that can be generated from its use
Looking for more support?
Take our course A Guide to UK Data Protection: Education
Endorsed by 9ine, specialists in data protection, this course will give you a firm understanding of the principles of data protection, as well as acquaint you with the essential requirements in your school. It will be updated in spring 2023 in line with the changes to UK GDPR.
Adopt 9ine’s Privacy Management Programme at your school
9ine’s UK-GDPR Privacy Management Programme is a proven set of categories and tasks that enable your designated senior leader to easily manage privacy and cyber compliance at your school. Using the programme your school will understand the amount of people, money and time required to achieve and maintain compliance.
For practical training to implement a privacy management programme, 9ine’s training programme Embedding a Privacy Management Programme in your school begins in November 2022.