G-Day is just six months away. As part of our ongoing guidance, here we look at Governance - one of the three main areas of GDPR, along with Data Protection and Cyber Security.
In this context, governance is:
- The structures, policies, processes, and procedures used to evidence and maintain compliance.
And, within it, there are:
- Assurance - the management reporting data structures that demonstrate and provide your organisation with the confidence that your governance structures are working as they should.
- Accreditation - third-party assessment, codes of practice and certification.
The Government and Department for Education have already made it very clear that the “10 Steps to Cyber Security” is the code of practice and Cyber Essentials is the certification mechanism. All organisations are expected to comply with both.
To implement the 10 Steps to Cyber Security, you need a strong governance mechanism that provides management data for you to evidence and control risk around your processing of data and IT systems.
The steps and the ICO guidance on the GDPR also both mandate that board members (governor / trustee) understand their meaning.
To adequately and proportionally protect the data you process and IT systems you use, you need to understand the types, propagation and processing systems of your data.
This means a comprehensive data audit and detailed IT systems audit that identifies risk and actions classified by the areas within the "10-steps”.
The principles of the steps, taken with Article 24, Data Protection by Design and Default, mean the same protections need to be applied to non-digital or IT processing activities – for example, manual handling, distribution, and storage of documents with personal data.
What should you do next?
We can provide you with comprehensive support and services related to the GDPR. Here are some of the opportunities.
- GDPR Practitioner Courses These are designed for education, and enable you to evidence that your GDPR lead or DPO can apply their knowledge of the regulation. Please note that limited places remain.
- GDPR Readiness Sessions
We have limited no-charge sessions available. These one-to-one sessions involve the provision of the full GDPR tool kit in a Google Sheet format. In the hour-long sessions we take you through the readiness tool kit and discuss how to use it to demonstrate strong governance.
- GDPR Readiness Service
This tried-and-tested structured service enables your organisation to understand the Data Protection, Cyber Security and Governance implications of the GDPR.
- 10-steps to Cyber Security Technical Audit and Advisory Service
Our independent service provides you with a comprehensive and efficient assessment of what you need to do to become compliant and, importantly, what a proportionate response would be to the risks we identify.
- Notices and Policy Support
You can work with our leading data protection team for Education in developing your privacy notices and subject access request policies, processes and procedures.
- Annual GDPR Audit and Assurance Service
This programme supports you in managing your Data Protection, IT / Cyber Security and Governance obligations as mandated by the regulation.
Stop Press … GDPR updates and guidance … Stop Press
Department for Education:
Updated standard privacy notices.
These have been created as standard templates to use. Importantly though, you can only tailor these for your school on completing a data mapping exercise and assessment of processing systems - both IT and manual.
Updated guidance within the Census 2017 on the definition of schools being Data Controllers in their own right, the need to follow the 10-steps, and to train your staff.
Controller v. Processor:
The ICO has issued this draft guidance for consultation. The guidance is very important if you license information systems or outsource the management and support of your IT systems / services. It will also help you determine which processing activities mean you are the controller or a processor.
During the next few months, we will be publishing more GDPR support and guidance, helping to create efficiencies in the application of the regulation.