The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.


Cyber security blog.jpg

Focus on Governance and the GDPR

G-Day is just six months away. As part of our ongoing guidance, here we look at Governance - one of the three main areas of GDPR, along with Data Protection and Cyber Security. 

In this context, governance is: 

  • The structures, policies, processes, and procedures used to evidence and maintain compliance.

And, within it, there are: 

  • Assurance - the management reporting data structures that demonstrate and provide your organisation with the confidence that your governance structures are working as they should.
  • Accreditation - third-party assessment, codes of practice and certification. 

The Government and Department for Education have already made it very clear that the “10 Steps to Cyber Security” is the code of practice and Cyber Essentials is the certification mechanism. All organisations are expected to comply with both. 

To implement the 10 Steps to Cyber Security, you need a strong governance mechanism that provides management data for you to evidence and control risk around your processing of data and IT systems. 

The steps and the ICO guidance on the GDPR also both mandate that board members (governor / trustee) understand their meaning. 

To adequately and proportionally protect the data you process and IT systems you use, you need to understand the types, propagation and processing systems of your data. 

This means a comprehensive data audit and detailed IT systems audit that identifies risk and actions classified by the areas within the "10-steps”. 

The principles of the steps, taken with Article 24, Data Protection by Design and Default, mean the same protections need to be applied to non-digital or IT processing activities – for example, manual handling, distribution, and storage of documents with personal data. 


What should you do next? 

We can provide you with comprehensive support and services related to the GDPR. Here are some of the opportunities. 

  • GDPR Practitioner Courses These are designed for education, and enable you to evidence that your GDPR lead or DPO can apply their knowledge of the regulation. Please note that limited places remain.
  • GDPR Readiness Sessions
    We have limited no-charge sessions available. These one-to-one sessions involve the provision of the full GDPR tool kit in a Google Sheet format. In the hour-long sessions we take you through the readiness tool kit and discuss how to use it to demonstrate strong governance.
  • GDPR Readiness Service
    This tried-and-tested structured service enables your organisation to understand the Data Protection, Cyber Security and Governance implications of the GDPR.
  • 10-steps to Cyber Security Technical Audit and Advisory Service
    Our independent service provides you with a comprehensive and efficient assessment of what you need to do to become compliant and, importantly, what a proportionate response would be to the risks we identify.
  • Notices and Policy Support
    You can work with our leading data protection team for Education in developing your privacy notices and subject access request policies, processes and procedures.
  • Annual GDPR Audit and Assurance Service
    This programme supports you in managing your Data Protection, IT / Cyber Security and Governance obligations as mandated by the regulation. 

Want to know more? Please get in touch >>

Stop Press … GDPR updates and guidance … Stop Press

Department for Education: 

Updated standard privacy notices. 

These have been created as standard templates to use. Importantly though, you can only tailor these for your school on completing a data mapping exercise and assessment of processing systems - both IT and manual.

Details here >>

Updated guidance within the Census 2017 on the definition of schools being Data Controllers in their own right, the need to follow the 10-steps, and to train your staff. 

Details here >>

Controller v. Processor:

The ICO has issued this draft guidance for consultation. The guidance is very important if you license information systems or outsource the management and support of your IT systems / services. It will also help you determine which processing activities mean you are the controller or a processor. 

Details here >>


During the next few months, we will be publishing more GDPR support and guidance, helping to create efficiencies in the application of the regulation.