Start your preparations for GDPR
Every member of staff in school is responsible for protecting the data you hold. If you haven’t already done so you should start planning now, ensure you understand GDPR and your responsibilities.
There seems to be a lot of panic related to the introduction of GDPR however, compared to many private organisations, schools are much better placed to address the new regulations. Whilst there are many extra demands required to map and audit personal data stored and shared, schools with existing rigid data protection policies should see GDPR as an opportunity to improve the way they work.
What should you be doing to prepare?
There’s lots of information out there and we have done our best to gather it together and present it in a way that makes sense to schools. We believe the below guides and resources will help you start your preparations with the right approach.
GDPR & Schools – find out what is changing and how it may affect your school
Preparing for GDPR in Schools - the 12 steps you need to take to prepare for GDPR
Readiness tracker – download and record your actions step by step to track your progress
GDPRiS articles – read through our articles about how GDPR will affect schools
In addition to the above there is a wealth of information on the Information Commissioners Office (ICO) website.
What exactly is the role of your school under GDPR?
You are the ‘data controller’ and therefore responsible and accountable for the data you hold. Anyone else you are connected with, such as 3rd party suppliers, who also process personal data are called the ‘data processor’. Under GDPR data controllers and data processors will have equal liability should there be a data breach.
How will GDPRiS help you achieve compliance?
GDPRiS is a simple and intuitive tool; it reflects existing processes and the way schools work, whilst pro-actively prompting you to meet and exceed the new General Data Protection Regulations.
Our Suppliers area forms an integral part of demonstrating your compliance under GDPR.
It offers a comprehensive list of suppliers and their products, with instant mapping. As part of our product mapping process, GDPRiS stores information about the standard data processed by each supplier. Additionally, GDPRiS goes a step further, capturing the legal basis for your processing and retention of information, and considering how the rights of the data subject are met.
Which Suppliers should be added to the GDPRiS tool?
Confusion may arise as to which of the hundreds of suppliers used by a school should become part of a data audit and thus be added to GDPRiS. To clarify, not every supplier does not need to be added into GDPRiS, only the ones where the school is the principal or shared data controller.
Here are some examples:
A book supplier asks the person ordering the books for their name, phone number and email address. The book supplier is the data controller and is responsible to keep your data safe and you have all the rights to ensure it is safe and correctly managed however, this supplier would not be part of your audit therefore this supplier would not be added to GDPRiS.
A book supplier has an area online where a teacher can test their students on the content of their books. The teacher uploads student names and student’s login in to do the tests. This is an example where the supplier is processing data for the data controller (the school) therefore this supplier would be added to GDPRiS.
Documents and training
Under GDPR it is a requirement to demonstrate that all staff have undertaken Data Protection training. This area will make up part of the evidence that you are complying with GDPR.
The Documents and Training area is great for sharing internal policy and process documents, training materials and to access GDPRiS training materials and videos.
Under GDPR certain types of data breach must be reported to the relevant supervisory authority (In the UK the Information Commissioners Office – ICO) within 72 hours, and in some cases to the individuals affected.
A tight timescale considering you need to find out about the breach, establish if it is a reportable breach then report it to the ICO.
The true meaning of a breach under GDPR is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just the loss of personal data it is about whether the breach is likely to result in a risk to the rights and freedoms of individuals.
Whilst we hope you will never need to use this area, GDPRiS is designed to streamline the process of breach reporting and enable you to track and manage breaches ensuring you are able to respond within these tight new timescales. The breach reporting process in GDPRiS follows the guidance provided by the ICO.
All staff should be pro-active in reporting anything they believe may be a breach of GDPR from within their individual user account. The Data Protection Manager for the school and/or the DPO can then assess if it is a reportable breach or not and take the necessary actions to ensure your school complies with GDPR.
Under GDPR the new Accountability Principle requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
Within GDPRiS, data maps have been provided by suppliers or from other reliable sources. These include information on: the purpose of the collection and processing of data; the legal grounds for processing; where and how long it is stored, and how the data rights for data subjects may apply. These data maps are part of suppliers demonstrating compliance, alongside any other documents with Data Sharing Agreements or similar. By having full access to these data maps, it provides schools and their DPOs with the opportunity to review and either accept or update as part of their due diligence.
A data audit is a step-by-step method of looking at all aspects of how you collect, handle and use data within your school. As data controller, a school must be 100% satisfied that everything a data processor says it is doing is true, can be seen in evidence and is checkable. An audit should highlight issues that arise at any step of the processing. Moreover, an audit will produce comprehensive records and reports to demonstrate that the controller has done everything in its power to check that its personal data is processed safely, legally and ensures that the full rights of the data subject are met.
The Internal Audit is the final step to compliance. Once completed the information will need ongoing input to keep it up-to-date so it is important to perform regular Internal Audits to ensure compliance.
Getting started with GDPRiS
You will have received a username and password to allow you to activate your ‘live’ GDPRiS site, it is important to note that any data you enter in your ‘live’ site will remain there forever therefore only clean data should be entered.
You should activate your ‘live’ site account so that it is ready for use when you have familiarised yourself with GDPRiS. Download our quick guide to activating and personalising your site.
Download as PDF