Here's our quick guide, complete with links to find out more.
What is it? It's essentially an update to the existing Data Protection Act, improving and changing regulations on data storage to reflect changes over time - and the many breaches of data that have happened over time. (Here's a frightening list of the UK's biggest ones!)
What is changing? The main focus of change is to increase the responsibility on those who store and manage personal information.
What if we ignore it? Will it go away? Despite the legislation originating from Europe, it will be implemented before any Brexit deal takes place. The Information Commissioners Office (ICO) will be able to fine organisations (including schools) up to £500,000 - and data security is an area that OFSTED inspectors will look as as part of their inspections of e-safety. So no.
What do we have to do? A good start is to look at the ICO's guide you can download here.
For school marketers, a key area will be point 7 - consent. You need to get positive agreement from people to use their personal data - and to be able to demonstrate this. So if you're holding an open event, asking people to write their email address down doesn't mean you can do anything with them!
You also need to review your current stored data (point 2), review the information you give to people whose data you are storing (point 3), check that you can meet people's rights (point 4 - especially the right not to receive direct marketing) and have processes in place for replying to 'subject access request' (point 5).
Point 9 is also important in the area of reputation management - is your school prepared for a data breach? You might also get involved in communicating changes to your wider community (point 1) and work on the legal aspects (points 6 and 10).
You should also talk to data processing companies (in the marketing area these will include email companies, CRM providers and website creators) and check they are prepared for the change (key issues are where they store data and whether they are properly accredited for disposing of IT equipment that contains personal details). If you need to change supplier it's better to work this out now before the 'mid-2018' GDPR implementation date.
Where can we find out more?
The best place for the latest information is the Information Commissioner's Office, which will have the latest information also hosts a questionnaire so you can see how compliant you are. There are also a host of companies that will be offering 'GDPR solutions' - but make sure you educate yourself before you sign up for an expensive one!