Expanding MATs – the importance of due diligence

Based on data in the government website GIAS (Get Information About Schools) 221 schools will have closed and reopened as academies in 2019. Some will be creating new trusts, but many will be joining established MATs and this is where the importance of due diligence on the data protection protocols of joining schools come in.

There are various government incentives for MATs to spread their wings to expand and we will be seeing more schools changing to academies and joining existing trusts in the coming years.  We have heard feedback from some MATs that they often have little choice in taking over certain failing schools.

… but there are hidden dangers in taking on new establishments as the hotel chain Marriott recently discovered BIG TIME! The firm’s problems were inherited from the Starwood hotels group which it acquired in 2016.  On issuing its intention to fine the hotel chain £99 million, the Information Commissioner’s Office (ICO) announced there were no excuses. The hotel chain should have undertaken more effective due diligence and put in place “proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Throughout Government guidelines for MAT development and growth, there is NO reference that due diligence should be carried out on the data protection protocols of the joining school(s). Even more worrying is the lack of guidance of what must be done relating to changing the data controller of personal data. All data subjects must be informed of the change. It is good practice to communicate to them how these changes affect their data and who to contact regarding this.

It is easy in a very busy era of change to forget to carry out correct closing-down procedures. A similar scenario happened to an estate agent who was fined £80K by ICO. A security breach happened when personal data was transferred from one server to another and someone forgot to switch off a function which left the data exposed. The fine would have been much larger had the breach happened post-May 2018.

We asked GDPR in Schools Chief Operating Officer, James Grew what help is available for MATs who are taking on new schools?   

“We firmly believe that MATs should ensure schools joining undertake a gap analysis and look at the compliance status of the joining schools, where gaps currently exist and which of those gaps need to be addressed urgently. GDPR in Schools has undertaken onsite independent audits of schools joining MATs which highlighted some major data protection issues which, fortunately, were easily rectified.”

James Grew, COO, GDPR in Schools

Many MATs use the GDPRiS platform which was created by Lynne Taylor, who also founded ParentPay which revolutionised the UKs school payments market.  Lynne added,

“To facilitate this analysis, our GDPRiS platform has various tools to help schools and provides a dashboard summary of a school’s compliance journey. GDPRiS has the data maps for over 3,000 education products which takes away much of the hard work and saves so much time.”

Lynne Taylor, CEO & Founder, GDPR in Schools

To find out why MATs are turning to the GDPRiS platform to monitor and manage their compliance, please book a demonstration and get peace of mind in your compliance journey.