GDPR for Schools
Act now to keep everybody on track with GDPR compliance, by booking a ‘soft’ audit day.
Once your audit day is booked, your DPO can structure the day to their own needs, but we suggest as a minimum that we follow a real case scenario Data Protection Advisory Visit Report which will cover the following:
- Review the Data Mapping Exercise – The ‘What, Why, Where and How’ of data held.
- Data retention – Review of school records and safe data destruction. You can save money and free up space for back up whilst fulfilling the requirements of GDPR.
- ‘Buy in from the Board’ – is GDPR a regular item on the Board agenda?
- Overview of your policies & documentation – version control
- Review and update your procedures under GDPR
- Fair processing – review your privacy notice(s)
- Data breaches: the data breach action plan/appropriate records – a solid action plan and clear documentation of preventative action can only serve you well in an Ofsted inspection or an ICO investigation.
- The rights of Data Subjects including Subject Access Request/Right to be forgotten, how are you dealing with these? What records are you keeping?
- Processing of data – Lawful basis
- Removable Media – the school policy
- Physical security – such as cabinets, drawers and windows
- Compliance monitoring – spot checks
- Secure printing
- Data Processors – the right to audit – documented in contract
- Review and refresh staff training and awareness with materials and posters – breach reporting and any other training which maybe job specific.
- Acceptable Use – Staff and Pupils
- Ask questions
- Produce an agreed review and action plan for demonstration of your journey towards compliance and ‘basic IT security practice’.
What will your audit consist of?
- Addressing the main concerns and questions from the DPO
- .gov annual review of school records and safe data (document). We may suggest a senior visit to carry out the data minimising/create shared drive ready for destruction if required
- Walk through data protection toolkit for schools
- Suggest literature/ posters/staff training and awareness prompts (ICO recommend refresher for staff every 6 months)
- Summary of support documents that can be supplied to DPO if requested, plus DPO ‘to do’ list
- Audit appraisal form/comments
- Diary a next review date