Confusion is arising regarding which of the 100s of suppliers used by a school should become part of a data audit under GDPR.
There are 2 steps to establish this.
- Step 1 Identify all suppliers in school
- Step 2 From this list find out which supplier processes personal data for you
Every supplier will not need to be audited, only the ones where a school is the principal or shared data controller.
Here are some examples:
- A book supplier asks the member of school staff who is ordering the books for their name, phone number and email address. The book supplier needs this data to process the order and is the data controller. They are responsible to keep all personal data safe and individuals have rights to ensure it is safe and correctly managed.
THIS SUPPLIER WOULD NOT BE PART OF A DATA AUDIT
- The same book supplier has an area online where a teacher can test their students on the content of their books and the school uses this. Teachers upload student names and students can login in to do the tests. The supplier is processing data for the data controller (the school).
THIS SUPPLIER WOULD BE PART OF A DATA AUDIT
- A school shares, with a recruitment agency, the school profile including the head’s details for the purpose of recruiting staff.
THIS SUPPLIER WOULD NOT BE PART OF A DATA AUDIT (provided the head’s information is in the public domain. Were the head’s private email, phone number or private address given then this supplier would need to be part of the audit)
Am I asking a supplier to process personal data for the school?
- YES – include them in the data audit
- NO – do not include them in the data audit
- MAYBE – include them in the data audit. It will become clear during the audit whether they should have been included or not