The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.


GDPR in schools

GDPR in Schools: Five practical suggestions for compliance [Guide]

The GDPR is a complex subject. Not only does it contain 99 interlinked articles. To understand just one of your obligations, you often have to read multiple articles and review guidance on the ICO website.

In this blog – the fourth in our comprehensive GDPR series – we explore those articles that relate to the integrity of data and systems, giving you five practical suggestions for compliance. Use them as a starting point for your GDPR preparations.


1 – You need up-to-date software and firmware

Article 32 1 (b) refers to the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

In other words, if your ICT systems are dated, out of support, or classed as “end of life” by the manufacturer, your school risks failing to comply with article 32. To ensure compliance, you need to complete a comprehensive systems architecture assessment:

  • Document all your hardware – whether it is supported, when it is due to go end-of-life, and if it has all the correct software and firmware.
  • If it is end-of-life or out of support, then complete a risk assessment to define the risk to integrity and security of data should you continue to use it – if the risk is too high, then it needs to be replaced.
  • If equipment is within support, but is not up-to-date with software patching, implement policies, processes and procedures to minimise the risk of this happening again.

If you’re not sure where to start, then we’re here to help. Efficient and effective, our GDPR technical assessment collects this information, determines where your gaps are and puts in place proportionate remedial action given the risks to the integrity of data.


2 - Document your ICT systems and define your management processes and policies

Fail to document your IT systems and associated operational processes and you’re likely to be in breach of article 32 1 (b) (as detailed above) and article 32 1 (c) and (d). 

Article 32 1 (c) relates to the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident while Article 32 1 (d) talks about a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Without documented IT systems and processes, you’re not able to carry out regular testing.  That means you would be unable evaluate the effectiveness of the technical and organisational measures required to ensure the security of processing data.

  • In the event of a system failure, GDPR requires that all your IT systems (and data these support) are quickly and efficiently restored following a controlled and tested approach.
  • Not only do you need a governance framework to evidence this – you’re also required to have regular external assessment to guarantee it.

9ine’s technical systems assessment and assurance gives schools a framework to undertake this exercise efficiently. Remember, where you have a managed service, it’s still your responsibility to ensure and quality review the documentation created by the managed service provider.


3 – Define and communicate the purpose for data processing

With the prevalence of multiple platforms, there’s a risk of uncontrolled propagation of personal data.

Each of your systems needs to be evaluated for evidence of data types – and you’re obliged to allocate a function to that system so everyone understands what data should be stored there and for how long.

  • Clearly communicate system functionality to all users – you need evidence to demonstrate that this has been completed.
  • Complete a Data Privacy Impact Assessment on each system – and evaluate it for measures such as encryption and pseudonymisation.
  • Give additional consideration to any bespoke software supported by a single individual – there’s a possibility your school will be in breach of Article 32 (b) (availability and integrity) should the primary administrator become incapacitated or unavailable.

9ine will be providing a framework and guidance on how to complete this exercise. So make sure you sign up for future updates.


4 - Don’t use unencrypted portable storage for transferring data

If you use unencrypted portable storage for transferring data, there’s a significant risk you’ll be in breach of Article 32 (b), which states, In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

  • The GDPR mandates that appropriate technical and organisational measures (such as encryption) are used to protect identification of data subjects.
  • If you use unencrypted USB devices to store or transfer data or send large amounts of unencrypted data over email, you’d find it challenging to demonstrate compliance with Article 32 and Article 5, which relates to the processing of personal data. 

We are suggesting to all our clients that all staff devices, laptops and PCs are encrypted at a hard disk level. In doing this you'll need to apply encryption to all your devices and have the confidence that this is in place. We have devised a process and technologies to enable you to do this. The ideal time to do this is over this summer. Should you team need help, get in touch.


5 – For a head start, work with 9ine on Cyber Essentials

Article 24 stipulates that organisations need to follow approved codes of conduct and make their compliance procedures available for certification (Articles 40, 42, 43) by an appropriate body.

  • Whilst a certification scheme has yet to be announced (we’re applying for the scheme), the ICO has indicated that other codes will support certification.
  • The first of these codes is Cyber Essentials.

9ine’s ICT technical, cyber and operational health check includes an assessment for the requirements of Cyber Essentials. The output provides you with a quantified list of issues, actions and risk. Using this output, it’s simple to implement proportionate plans based on your school’s size, budget and resource.

If you’re struggling to get to grips with GDPR, 9ine have the knowledge, expertise and focus to help ensure that your school fulfils its obligations. From explaining the articles in layman’s terms to implementing the practical measures and ensuring a cohesive approach, we’re here to help you at every stage of the journey.


We’re organising a course on the practical implications of implementing GDPR, designed to provide hands-on advice and guidance on an efficient approach to compliance. To register your interest in attending, click here.