As the enforcement date of 25th May 2018 approaches, your organisation should be promoting a strong culture of protecting data ahead of the General Data Protection Regulation being implemented. As the deadline for this gets ever closer; everyone that deals with personal data will be responsible for ensuring they comply with the GDPR.
However, do you know where to start?
Background – how does the new General Data Protection Regulation apply to schools?
GDPR encompasses any personal data that is stored and processed using computers, as well as any data that is stored on paper in any manual filing system. Whether it is on a standalone computer, a network server, in the cloud or as hand written notes.
For example, in an educational setting that means all, and any, personal data held on students, parents, staff and governors.
Organisations must be able to evidence how they are actually doing this in practice – not just produce a series of policies or protocols that are compliant.
Below, we detail the 3 key steps to get ahead before 25th May.
1)Produce a data map
In the example of a school, the setting needs to identify all categories of data that are held about students and staff, the purpose for which it is held and how it is being processed. By doing this the organisation will become familiar with the personal data ecosystem within the school.
This information can then be used to run an audit. To help do this the ICO has an audit tool that RAG rates* your current practice and gives a clear indication of where your strengths and areas for improvement are. The result can then be printed off. As you progress you can go back and conduct the audit as many times as you want to measure progress; this provides a useful framework for planning as well as good evidence of action taken.
*RAG rating:
Red: not implemented or planned
Amber: partially implemented or planned
Green: successfully implemented
2) Promote good practice
Your organisation should already be promoting a strong culture of protecting data. In preparing for the GDPR you should:
- appoint a data protection officer
- train staff
- carry out an information audit
- update and review policies and procedures
- tell people why the data is being collected.
3) Ask questions
In addition to a clear description of the data, the following questions should be asked of those people that are responsible for collating personal data.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- How long will you keep it for?
- How will it be kept secure?
- What process is it needed for? (e.g. admissions, recruitment)
- How is security maintained?
- Who has access to the information?
- Who manages the data?
- Who are the data subjects?
- What is the source of the data?
- What software is used? (if any)
- Where does the data go inside the organisation?
- How is the data stored?
- Does the data leave the organisation?
- Does data flow outside of borders? (that is national borders to areas not covered by GDPR).
Test your GDPR strength against these 3 potential data issues:
To identify how prepared you and your organisation are for the GDPR’s enforcement date of 25th May 2018, we have put together 3 questions relating to potential data problems for you to resolve. Answer these below:
Issue 1: Governors
Confidential papers are being distributed to governors using personal email addresses. They may contain sensitive personal information about staff. When a governor’s term of office finishes you have no control over the deletion or destruction of confidential documents kept digitally.
How would you resolve this?
Issue 2: Cashless pay system
The establishment where you work has introduced a new cashless catering system, which involves both collecting new data for a new purpose and using existing data for a new purpose.
What should be conducted?
Issue 3: Holding data externally
Staff are holding student data on personal USB drives and using them to take student data offsite to work at home. This means that staff may have several USBs with student data on them, and some may have transferred the data to home equipment.