1. Awareness – All decision makers need to be aware that the compliance deadline for GDPR is 25th May 2018. By reading this, you are now already aware. Congratulations!
2. Information – All personal data must be correctly stored. This includes data for all students, staff, parents, governors and anyone else associated with the school. This may mean organising an information audit to ensure that everything is accounted for.
3. Privacy notices – Thoroughly check your current privacy policies and make any of the required changes in advance of the deadline.
4. Individuals’ rights – Check all of your procedures regarding the rights of individuals, and don’t forget your policy on deleting personal data. If you aren’t already doing so, you need to prepare yourself to provide data in an electronic format.
5. Subject Access Requirements – Or SARs, for short. These will need to be handled within one month, as per the new regulations. Make sure your procedures are updated to allow for this change.
6. Legal basis – Much of the data your school will be processing is likely to will come under ‘public interest’, which means you don’t need to provide a legal basis to process it. Identify all of that which isn’t covered by this basis and document it. This data must be necessary for the school to function.
7. Consent – For the data that isn’t part of the ‘public interest’, consent is required. Review your processes for obtaining consent, ensuring that it is in line with the GDPR.
8. Children – Parental consent up to 13 years of age, thereafter the pupil’s own consent. How are you going to manage this?
9. Data breaches – In the event of a data breach, it is essential that the correct procedures are in place. All staff must adhere to these if penalties are to be avoided.
10. Privacy Impact Assessments (PIA) – Understand the ICO’s guidance on PIA. When new processes are taken on by the school, using PIA can help you assess the potential risk and impact.
11. Data Protection Officer (DPO) – All schools must have a designated DPO to take oversee and, ultimately, help ensure GDPR compliance.
12. International – If you operate internationally, you need to determine which data protection supervisory authority applies to you. You also need to find out where data is held by your suppliers.
GDPRiS is a web based platform designed for schools, that helps manage GDPR compliance. Store documentation, manage suppliers, report breaches, all in one place. To view more detail on the 12 steps, and to download a number of other free resources for schools relating to GDPR compliance, visit the resources section on www.groupcall.com.
Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!