The GDPR, which came into force on 25th May 2018 as the Data Protection Act 2018, is a step change in data protection and privacy law in the UK. It’s not just about information technology, but all data we hold as an organisation.
It is in place to give data subjects control of their data and gives organisations processing that data (including schools) more responsibilities in relation to how they collect, process, store, share and destroy data.
As a school we collect and hold a great deal of personal data - not only about students, but also staff, parents, volunteers, visitors, suppliers and other ‘data subjects’. GDPR requires us to not only minimise any risks to the unauthorised access and loss of personal data within the organisation, but also to provide evidence and documentation of our processing activity.
In order to demonstrate our commitment to GDPR compliance we are doing the following:
Documenting our processing activity, including ensuring we have a lawful basis for processing
Auditing this processing and identifying and creating an action plan to mitigate any risks to personal data
Documenting the compliance of third-party providers and reviewing contracts to ensure compliance with GDPR
Ensuring that we have processes and procedures in place to ensure the rights of data subjects
Reviewing the technical and organisational measures in place to protect data
Training staff and Governors on GDPR and our data handling procedures