Have you been approached by a cold caller trying to sell GDPR training or claiming to be a GDPR expert?
With GDPR just around the corner, many schools and other education organisations will become victims to this activity, but that’s where we can help.
At 9ine, we cut through the noise and provide easy to understand, practical advice and guidance on what’s required for GDPR compliance.
We’ve created four steps below to help you have GDPR confidence.
- Don’t panic and get the right processes in place
The GDPR has three equally weighted components:
This relates to the assessment and recording of the processing activity you undertake, and the policies, processes and procedures you have to evidence, report on and manage GDPR compliance.
This involves the specific intricacies within the GDPR in relation to the six principles of the processing of personal data. This includes:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
The Data Controller (you/your school) needs to be able to demonstrate compliance in each of the above areas.
Cyber and data security
This relates to the proportionate organisational and technical measures you have in place to protect the personal data that your school holds. This covers aspects such as the management of your IT systems, the use of confidential waste bins and considerations for employees that must have lockable storage in their office.
But what if I can’t meet all the terms?
If you’re unfamiliar with, or unable to meet all the terms, there is a risk that you may not be compliant.
But, this will be a common problem for many organisations. To overcome the challenge you’ll need to document what the mitigating action is for you to become familiar with them, and the actions need to be proportionate to the resources of your school.
If you choose to ignore the challenge and do nothing, you are increasing your chances of receiving a fine.
The guidance on fines in the GDPR says:
“Enterprises should be responsible for adopting structures and resources adequate to the nature and complexity of their business. As such, controllers and processors cannot legitimise breaches of data protection law by claiming a shortage of resources. Routines and documentation of processing activities follow a risk-based approach according to the Regulation.”
There are many different proportionate actions you can take to become GDPR compliant, and avoid fines.
- Attend a training course on the GDPR for the education sector.
- Read the Article 29 Working Party adopted guidance on the application of fines. Focus on information about the guidance on fines, Data Protection Impact Assessments (DPIAs) and the appointment of the DPO. The guidance on DPIAs will explain how to map the data processing activity in your school (something that we have developed into and incorporated within our GDPR toolkit).
- Download our free GDPR Readiness Toolkit here. The toolkit will talk you through the process to become compliant, and you’ll have the opportunity to sign-up to a support service.
- Encourage your IT team to review National Cyber Security Centre’s (NSCS) “10-steps to cyber security”. This will enable your team to document where work is required for each of the steps and quantify remedial actions with costs.
- Ensure everyone understands their GDPR responsibilities
It’s crucial to understand that everyone within your school has a responsibility to the GDPR, and they cannot ignore, outsource or delegate their responsibilities.
As a school, your organisation is by definition the “Data Controller”. However, you’ll also have individuals in your school that will be managing how personal data will be processed and protected – acting as “mini” Data Controllers (a term that we’ve created to help you understand the different roles in your organisation).
For example, your head of HR would be a “mini” Data Controller due to them determining how personal data is captured, used, stored, transferred and protected. Likewise, the head of IT, Finance, Admissions and Estates will be conducting similar activities.
Tips to manage “mini” Data Controllers:
- Determine which individuals hold responsibility for processing activity.
- Document these roles and responsibilities within a framework (9ine’s GDPR Toolkit has a ready made framework to help).
- Send an email to the people identified explaining their role, providing with PDF copies of the Article 29 Working Party adopted guidance.
- Ask those identified to review it in light of their data role, and to share concerns on how to be compliant.
- Document the above actions, their responses and the risks that follow.
- Document what organisational and technical measures your school could take – in relation to your resource – to become compliant.
- If resources are not available, issue the risk log to the highest level of management in your school, which may be your board or governors.
- When speaking to your management team, explain the requirements for the regulation and penalties for non-compliance as detailed in the Article 29 Working Party “Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679”.
- Complete the data mapping process
One of the most important activities that your school must do before May 25th 2018 is the data mapping exercise.
This activity enables you to account for good governance and the protections applied to processing activity. To help, we’ve developed a full suite of documents you can use (subject to signing an NDA). For access to these documents please contact us here.
Every school has similar data mapping process and we have a database that we can compare your school against. This helps improve the quality and efficiency of your process.
Once you’ve completed the data mapping process you’ll need to complete a data protection impact assessment (DPIA) on high risk areas of processing activity.
The GDPR’s Article 29 Working Party guidance on DPIAs explains how this process works, and using this guidance, our tool kit includes templates and workflow for you to follow.
When you’ve completed your DPIAs, you’ll need to identify any risks to processing activity, and document proportionate organisational and technical measures to mitigate them.
As mentioned earlier, the measures you take need to be proportionate to your resources, and where risks cannot be mitigated, you need to document it.
At 9ine, we have support packages that can help and guide you on the assessment of risk and the definition of proportionate technical or organisational measures. For more information, click here.
- Prioritise your risks and actions
The next step is to assess the risks of compliance against the GDPR Article 32.
This will enable you to identify gaps in compliance and how much financial investment is required to fill them.
It’s very important that you prioritise the highest risk gaps first, and take action to mitigate those risks. But, be aware that some GDPR support businesses will use these gaps to try to sell you products and services that may not be right or necessary for your school.
There is limited guidance on what is “right” or “wrong” when it comes to deciding on a mitigating action.
At 9ine we work with schools across the UK, France, Belgium, Italy, Luxembourg, and Switzerland, and our GDPR audit and compliance services are firmly grounded in the operational impact the regulation will continue to have upon school practice.
In addition, in January we’re a launching a new audit and compliance service – Annual Service Plan – for schools that require cost effective support.
It’ll provide on-demand, independent consultancy time for GDPR compliance, quality assurance and breach management. The service is a 12-month contract and will give you access to templates, resources, regulation alerts and training materials.