The purpose of the new GDPR regulation is to shift control of EU citizens’ personal data to that of the owner of that data.
Personal data is defined as relating to an identified or identifiable natural person (the data subject) and could be a name, username, location data or details held in online identifiers such as IP addresses or cookies. There are many reasons for a school to be handling personal data, for example:
- Processing data to perform a task in the public interest
- To enable them to fulfil legal obligations such as the school census
- As an employer of the staff within the schools
- For extracurricular activities, publications or events, in these cases they will require consent from parents
What do you need to do?
There are 4 stages to ensuring that you are working towards GDPR compliancy:
Understand what data you are holding, where you are holding it and why you are processing that data. You also need to understand what 3rd parties you are sharing that data with so that you can ensure that they comply with data processing guidelines and that you have and appropriate contract in place with that 3rd party. When it comes to managing where your data is and protecting it, simplicity is key so once you understand what data you have and where it is you should ensure that you are only keeping the data you really need to keep and minimising the locations and applications that have access to that data.
Once you understand what data you have, you need to ensure you put policies and control in place to govern the management of that data. This should include training for your staff on data privacy best practices and how to avoid data breaches through basic cyber security principles. You should also classify your data, this will enable you to put appropriate controls over that data based on the sensitivity. You may wish to put additional controls in place alongside your policies to prevent accidental leakage of data through human error.
Under GDPR your school is obliged to put appropriate and modern security solutions in place to prevent data breach. Whilst no defence is infallible, there are some basic and simple principles that should be followed that will prevent all but the most persistent cyber attacks.
It is important to keep a record of everything you have done to discover, manage and protect your data – being able to show what you have done to comply with GDPR is as important as the tasks themselves.
RM have a range of software and services to support you in evaluating how GDPR compliant you currently are and to identify steps for improvement.
Talk to us more about how RM can help by email - firstname.lastname@example.org - or call us on 0800 046 9798