The top 5 tasks you SHOULD have completed to ensure compliance with the GDPR
It’s been several months since GDPR Day – here are 5 things you SHOULD have completed by now:
1 Appoint and inform ICO of details of your DPO
It is a legal requirement under the GDPR that every school appoints a Data Protection Officer (DPO). You MUST also tell ICO the details of your appointed DPO. Whilst OFSTED have confirmed that at present the GDPR will not be a part of an inspection, OFSTED must ensure that schools fulfil their statutory duties as part of their leadership and management judgement. If for example, they were to ask for details of your DPO, and none was appointed, you cannot meet your statutory duties. This would have a negative impact on your OFSTED rating. GDPRiS has details of the most cost-effective DPO services and solutions for schools. Simply contact us and we’ll put you in touch.
2 Staff Training
Training all staff in data protection principles is key to ensure that your data protection policy is carried out. NEARLY EVERY DATA BREACH IN SCHOOLS IS THE RESULT OF HUMAN ERROR. Not only do you need resources to train your staff, but you also need to evidence what you have done.
3 Data Mapping – Who, What, How, When, Where and Why?
As data controllers, schools must know where all personal data is processed, and stored, and ensure the rights of individuals are met. You must know and have a clear overview, of how your suppliers process data. You are obliged to check that they do it legally and do not keep it longer than required. This is a statutory duty and you may be asked to confirm this during an OFSTED inspection. It is important to note, that under the GDPR a data controller is held jointly liable for a breach that occurs with the data processor. Uniquely, GDPRiS provides comprehensive data maps including the legal basis for processing, retention, compliance information
and how the right of the individual are met for more than 3,000 education supplier
4 Privacy policies, data sharing agreements, and more
You must have contracts with all the suppliers which process personal data and have access to their privacy and/or data sharing agreements. If they use ‘Cookies’ you need a record of how they do this. Of greater importance, you MUST know and understand the legitimate reasons for processing personal data and in particular, data of a sensitive nature. All this information is accessible in the GDPRiS Supplier Product Directory.
5 Carried out risk analysis on sensitive processing activities
On the ICO website there is an explanation of what is required by law to mitigate risk when processing data. You will need to carry out a DPIA (Data Protection Impact Assessment) to find out where the risks lie and how to reduce them. GDPRiS users have access to DPIA templates for differing scenarios and our staff are always on hand to answer any questions.
GDPRiS supports all the above and provides evidence of every process.