One of the biggest concerns seem to be over the storage and processing of personal data in the cloud, as this presents the biggest challenges around “where is it?”, “who can see it?”, and “is it safe?”
The GDPR replaces the existing Data Protection Act. Under current legislation you already should ensure that data is kept safe and secure. With the GDPR coming into effect, you’ll have an increased responsibility to ensure this information - regardless of where it is kept - is managed in the right way.
Non-compliance could result in significant fines being imposed from the Information Commissioner's Office (ICO). Such an issue could have an impact on the reputation of the school and potential safeguarding concerns, if the correct policies and procedures aren’t in place.
With any data you store on-site, it’s up to you ensure you encrypt, store, process and destroy it in the correct manner in accordance with the new GDPR. For instance, an InVentry sign-in system is encrypted at a database level using 256-bit encryption - which means that even if the hard drive was stolen, without the key to unencrypt it, the data would be unobtainable.
There is a big concern that the cloud isn’t secure, and that you can’t store personal information as you lose control over ownership. This is not true. These huge data centers are protected by state-of-the-art security. You could argue that the cloud is safer than keeping data on your own premises, as it is even harder to locate and access the physical system that holds your information. There are regulations, though. Cloud-based systems are still okay with GDPR, as long as the server location meets the requirements and it has appropriate security, such as firewalls.
If you are working with companies and providers who are processing data in the cloud, it is up to you to ensure that they are taking the correct steps to keep it safe. There are two key questions that you need to be asking:
1. Is the data stored within the European Economic Area with adequate safeguards?
2. If not, does the company either have binding corporate rules, and can they demonstrate that they are processing the data in compliance with agreed standards, such as the EU/US Privacy Shield?
It is important that you understand which countries are involved, and whether they provide the right level of data protection framework for your data. Data subjects should know where their data is being processed so they can make an informed decision about it, and trust the organisation and digital platforms that back on to cloud.
Want to receive cutting-edge insights from leading educators each week? Sign up to our Community Update and be part of the action!