With the deadline to implement the General Data Protection Regulation (GDPR) coming closer, it is important that you put strict procedures in place to ensure all your data is protected. This is important for the both the data your share with your suppliers and the data you process in the office.
To help you do this, we have put together a list of things to check with your suppliers and the school office.
How to make sure your suppliers will protect your data
To ensure that your suppliers are protecting your data, your Data Controller must ask companies they share data with the following questions:
- Will you be GDPR compliant by 25th May 2018?
- How can you prove this?
- How is our data used/shared?
- How secure is the data?
- Do you back up the data?
- Can the data be destroyed?
- How long is the data kept for?
- Can you confirm if the data has been destroyed?
All these answers must be in writing and cannot be confirmed verbally.
In the case of 3rd party processors, the Data Controller from the school or academy is responsible for compliance and will decide what data is shared, however, both parties will need to keep a record of the processing/activity policy.
Processors will need to receive a contract and terms and conditions with the controller before any invoice can be sent. If the data controller leaves the supplier, both parties are then responsible for the deletion of any data and it must be confirmed to each other when this has taken place.
If you need to know more about the basics of GDPR for schools, click here to read our previous blog post.
Office Security
Another way to ensure all your data is protected is by having the proper security procedures in place for your office. For this, you should ask yourself the following questions:
- Is the server secure?
- If your server is easily accessible it may be best to move it to a secure location such as a locked cupboard that only certain members of staff can access.
- Do you have a lock screen policy?
- When any member of staff leaves their device, they should ensure they lock the screen properly so that all data and work is hidden.
- Do you change your passwords regularly?
- GDPR states that passwords for your devices should be changed every regularly.
If you see any of these security measures being breached, you must report it as soon as possible.
GDPR will introduce a strict 72-hour time period for all security breaches to be reported to the ICO, which also includes weekends and bank holidays, if not you could face serious consequences.
Want to know more?
We hope this has helped clear the air about GDPR, even if it is just a little. However, if you’re still confused and feel like you need more help, we can offer you just that.
On 7th March, we are holding a GDPR training session where our guest trainer, Stuart Abrahams from Think IT, will talk through everything schools will need to know concerning GDPR, showing practical scenarios that apply to the education sector, and third parties that will be able to make becoming compliant much easier.
If this interests you, click the button below and book your place.
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. You may not rely on this as legal advice.