What should you do when ICO comes knocking?

The implementation of the GDPR was not the final hurdle, it was just the starting line! You should’t panic if you’re having an ICO Advisory Visit or an ICO Audit, just make sure you understand the difference and what is expected of you.

It is now even more important for schools to look at their on-going compliance and ensure they can evidence the steps they are taking. The ICO are already undertaking advisory visits in schools and have planned an overview audit of MATs starting in the new academic year.

What is the difference between an ICO Advisory Visit and an ICO Audit?

1) ICO Advisory Visit

The ICO Assurance Team will arrange to visit your school to perform an audit, the resulting report will provide you with details of what you do well and advice on areas you need to improve.  This advisory report is not published online, only the fact that you have received an advisory visit and when it was.

2) ICO Audit

The ICO Assurance Team will send you advance notification that they intend to visit your school or group of schools to perform an audit.  The ICO Audit will look at whether you have effective controls in place alongside good policies and procedures to support your data protection obligations. The ICO Assurance Team will check if you are following data protection legislation as it applies to your organisation and the resulting report will make recommendations on areas for improvement. Previous reports have been published on the ICO website and kept there for one year.

Remember, in the event of a serious data breach, the ICO has the power to fine an organisation up to 4% of its annual turnover. In some schools, particularly MATs, this could be over £1 million.

What have the ICO done so far?

The ICO have performed various advisory visits in schools during 2017 and 2018. You can view the advisory visits and audits the ICO have carried out in the education sector on their website.

The ICO can also carry out visits across parts of a sector in order to gain an ‘overview’ of how well that sector manages data protection and they publish these reports on their website.

In February 2018, the ICO published an Overview report of the Nursery sector based on data protection advisory visits to eleven nurseries across England, Scotland and Wales during 2016 and 2017. The resulting report gives us a good indication on areas schools should be focussing on to ensure they are able to comply.

How we will support you with a visit from the ICO?

GDPRiS is a cloud-based data protection monitoring and management tool, delivering the evidence you need when you need it. We are already supporting some of our users who are preparing for advisory visits from the ICO. We talk them through what the ICO are asking of them and advise the best ways to present the evidence.