GDPR Compliance for Your School

You have a myriad of things to do and GDPR compliance has just been added to the pile. An expert resource to ease the burden may be just what you were looking for. 

Get Started

Use the buttons below to get in touch and see how do UC can help:
Email Us Schedule a Call

First Steps

The first step we recommend is to put in place something referred to in the GDPR Articles as a DPIA – Data Protection Impact Assessment. This is essentially a formal process to understand what you have, where you stand on compliance and what risks you have in regards to compliance. This will lead us towards an action plan but in itself is purely an information gathering exercise. There are a variety of stages we can look at within an initial DPIA as below:

1. Data Audit

An audit of the data your school possesses across its various departments:
  1. What data you have across all departments (this should include any data shared with 3rd parties)
  2. Where and how it is kept and any existing security measures
  3. Why it is captured and kept 
  4. How long it is kept for
  5. What are the lawful reasons (under GDPR) for its processing

2. Documentation Audit

The GDPR requires a number of Policies and contracts to be in place and for the staff within the organisation to be aware of and adhere to these. The audit will review which policies are in existence today. This audit is not to look specifically at the content of each Policy, as that will follow as an outcome of the DPIA but will look at whether the GDPR policies and contracts are in existence.

3. 3rd Party Data Processors

In the first instance, we will compile a register of the 3rd party organisations who process data on the school’s behalf. This register must be included within the DPIA however, is not a specific work stream to be conducted by do UC. We will then review the contracts in place with these organisations to ensure they have the necessary terms to meet GDPR compliance.

4. Risk Register

Each Department within the school will be consulted and asked to help compile a register of all perceived risks to the Data Subjects (individuals) from the data handling (processing) within their specific areas. These will be collated into a school-wide risk register that will be made available for review by the Senior Leadership Team.

5. Risk Assessment

Each Department within the school will be consulted and asked to help compile a register of all perceived risks to the Data Subjects (individuals) from the data handling (processing) within their specific areas. These will be collated into a school-wide risk register that will be made available for review by the Senior Leadership Team.

6. IT Assessment

A specific audit of the IT functions should be carried out and reported on by your IT Department. In respect of the DPIA, it will be important to review the current IT infrastructure in respect to the processing and security of the PII, or Personally Identifiable Information.

7. Gap Analysis

Building on the results found in the above Risk Assessment and IT Assessment, the gap analysis will identify and prioritise the areas of non-compliance in respect to the GDPR. This should form the basis of a programmatic approach to achieving GDPR compliance.

8. Recommendations / Action Plan

The final step of the engagement will be for the above documentation to be provided to the school together with a list of recommendations for next steps. These may be reviewed internally or in conjunction with do UC and may be used to compile an action plan in order to kick-off the GDPR compliance programme.

Further to the DPIA, there are a variety of additional services do UC can provide to support your GDPR compliance programme.

  1. Programme Management. Oversight of the GDPR Compliance programme. Working with the internal stakeholders to ensure the necessary steps to compliance are being implemented and delivering regular reports to the leadership or Board of Directors, as required.
  2. GDPR Advisor. Ad hoc engagement to help address any questions or concerns with the GDPR Compliance Programme.
  3. Virtual Data Protection Officer. The Data Protection Officer, (DPO), is a role identified within the GDPR framework, although not required for all organisations. Its primary function is to provide GDPR expertise to the organisation as well as to liaise with the Supervisory Authority (the ICO in the UK) and to monitor GDPR compliance on an ongoing basis. The DPO does not need to be a staff member of the organisation, although should be fully conversant with the business activities and personnel and should be reporting to the senior leadership or the Board to ensure ongoing compliance requirements are being met. A Virtual DPO would be contracted to deliver the above services for more than one organisation.
    1. Note: At this time, while most educational establishments are required to have a DPO in place, independent schools are not specifically named. As this time, the ICO uses the definitions of a Public Authority within the Freedom of Information Act 07500600250, however it is believed that this hole will be closed either leading up to the legislation of the Data Protection Bill or as part of it.
  4. Education and Training. A key measure in ensuring GDPR compliance will be to perform regular training with staff and all associated groups so that they have an up-to-date understanding of secure data processing and best practice.
  5. Audit. It is recommended for an organisation to review its compliance on a regular basis. While a formal audit process for GDPR has yet to be identified, do UC would propose to review and update the initial DPIA on an annual basis.
Get in Touch