A core part of data privacy and protection compliance is about demonstrating accountability. This includes the ability to evidence management accountability, to demonstrate who will be assuming which responsibilities as part of an equally demonstrable set of defined procedures for when things don’t go to plan!
The first step in a data privacy and protection compliance strategy is to identify the roles and responsibilities of the key people involved. You will need to document the area/s of processing that these individuals are responsible for (e.g finance, admissions, HR), and their level of seniority (shown below) as this determines their level of accountability and impacts on areas such as training, crisis planning and business continuity. Strong governance around roles and responsibilities in data protection also involves the record keeping of data protection training that has been undertaken across the school. This provides visibility of the level of expertise within your school as well as helping to identify any gaps in capability that may be impacting on your school’s level of risk. (There is more information about recording training later in this blog.)
9ine’s Governance, Risk and Compliance (GRC) platform has been designed to take into account the different roles and responsibilities required to demonstrate good governance for data privacy and protection within your organisation. The below image provides an example of how 9ine’s GRC platform considers the different levels of accountability mentioned above and divides these among a number of pre populated roles, as well as providing useful guideline text that avoids any ambiguity about what each role entails in the context of data protection.
In a recent 9ine blog, How to Plan for a Data Breach in Your School Network, we discussed the five common characteristics of a data breach in school. These included the high expectations of parents and in some circumstances, the uncompromising time frames involved in reporting to the regulator and the individuals affected. Your staff, parents and board members/governors will have very high expectations about how quickly you identify the impact of a breach, the mitigating actions required to minimise that impact and the people involved. Managing the expectations of these parties and ensuring legal compliance in this intense environment is near impossible without a tried and tested plan in place. This is why we recommend that you consider the roles and responsibilities of the individuals within your organisation as an integral part of your data privacy and protection governance procedure. This approach can benefit your school in a number of different ways, as detailed below.
Providing reassurance and confidence by having a clear escalation path.
When your school is required to manage a data incident, the time scales for reporting internally, to the regulator and the individuals affected can be tight. Using the roles and responsibilities tool in 9ine’s GRC platform, means you can specify who should be notified in the event of an incident within your school and this will help you to implement an escalation matrix so that your team understand who to turn to when escalation is needed, protecting both the interests of the data subject/s and improving internal communication at school.
Keeping up with training and awareness obligations.
If staff do not receive appropriate training, commensurate to their role, there is a risk that personal data will not be processed in accordance with data privacy and protection law or the expectations of the school community. This could result in regulatory action or reputational damage to your school. As part of data protection governance schools must provide staff with data protection, records management and information security training. It must also provide staff with training that promotes awareness of regulations that relate to their roles and responsibilities. Also, needs based training for all staff, induction and refresher training, together with specialist training for certain roles will be required. Without capturing and understanding your school’s data processing , who is involved and the potential risks for data subjects, it is difficult to match the right level of training to the roles within your school. Lack of training can lead to inadequate and sometimes, inappropriate decisions being made - which can put your school at risk. Below is an example of 9ine’s user-friendly, auditable record of training, associated with an individual's profile.
Improving day-to-day school operations with clear governance.
Aside from meeting compliance obligations and the clear advantages of having clear data protection governance in the event of an incident, there are other advantages associated with determining the roles and responsibilities within your organisation that may benefit the day-to-day running of your school. Good governance improves efficiency and communication and makes team management run smoother. For example, visibility across all roles and responsibilities makes succession planning easier by facilitating smooth internal transitions when staff members change roles. This reduces disruption to your compliance progress and can assure consistency in approach.
Improving the governance of roles and responsibilities using technology.
9ine’s Roles and Responsibilities tool connects your stakeholders and simplifies the management of organisational roles and access provisioning in data privacy and protection compliance. Using the tool you can confidently evidence management accountability with a complete set of education specific governance roles and responsibilities, escalation path, built-in workflows and training records. It simplifies the ability to communicate new and changed organisational requirements to individuals who may be impacted as well as concerns, issues and problems with data to the individuals that can influence change. Each profile includes a training record so you can track training and further requirements, and increase the capability of your team to improve best practice. To learn more and get a free trial visit https://www.9ine.uk.com/app.
ABOUT THE AUTHOR:
Olivia Malaure is 9ine's Head of Content Marketing and has worked in the education sector as both an educator and marketer for 20+ years. Prior to working in edtech marketing, Olivia worked in print media as deputy editor for a publication in the family and parenting sector. She holds a Bachelor of Dramatic Art and a Diploma of Digital Marketing (CIM).