From May 2018 the Data Protection Act is superseded by the EU General Data Protection Regulation (GDPR) , which is a significantly-stricter regime to protect personal information online. I have recently completed our GDPR review.
The two critical changes are
- Explicit consent is required for processing sensitive personal data.
- Parental consent will be required to process the personal data of children under the age of 16 for online services.
What counts as sensitive personal data?
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Of these, only (3) is relevant to Yacapaca. In order for our analytics module to continue to report results broken down by ethnic origin category, we would need written permission from the parent or guardian of every child in the school.
That game, I’m afraid, ain’t worth the candle, so from September that metadata category will be withdrawn. If you use that analysis, you will need to export the raw data and re-import it into a service such as SIMS that still stores this data.
This is not the only change we will need to achieve full GDPR compliance, but it is both the main one and the only one that requires an immediate change. We will be working behind the scenes to ensure we are in full compliance well before the May deadline.